Download - Presentation nix
![Page 1: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/1.jpg)
SSH Tricks and More!
Presented by Kyle Young
![Page 2: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/2.jpg)
Who am I?• Just another computer technician• Obtaining my macro degree in network
administration from GRCC• Planning on getting a Bachelors degree in Digital
Forensics at FSU• Been tinkering with computers since I was in middle
school• Became obsessed with Information Security in 2005• Owner/Hoster of zitstif.no-ip.org• Administrator on HITB forums
![Page 3: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/3.jpg)
Read this book if you want to learn more about SSH!
SSH, The Secure Shell: The Definitive Guide, 2nd EditionBy Daniel J. Barrett, Richard E. Silverman,Robert G. ByrnesPublisher: O'Reilly MediaReleased: May 2005Pages: 668
![Page 4: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/4.jpg)
Presentation Note!
I WILL NOT BE COVERING THE PROPRIETARY VERSION OF SSH (Tectia)
SORRY!
![Page 5: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/5.jpg)
Why do a presentation on SSH tricks?
• SSH is one of my favorite protocols• There have been plenty of articles and blog
posts on the subject – I thought it was time to kind of aggregate these and add some of my own tips/tricks
![Page 6: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/6.jpg)
What is SSH?
• Is it a shell? … No• Is it a solution to all of your security
problems? … No
“Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.” - en.wikipedia.org/wiki/SSh
![Page 7: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/7.jpg)
SSH History
• SSH v1.X - Invented by Tatu Ylönen in 1995 • Created due to a password sniffing attack that
took place at Helsinki University of Technology• Created as a secure replacement for telnet,
rlogin and rsh protocols
![Page 8: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/8.jpg)
SSH and You!• If you work in the information technology
realm, there’s a good chance you have used SSH before.
• The SSH Client is natively available on practically all Non-Windows Operating Systems
• Can be more quick and dirty than Remote Desktop
• Easier to use on a phone than Remote Desktop (You may want to check out ‘mosh’ http://mosh.mit.edu/ )
![Page 9: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/9.jpg)
What can I use SSH for?
• For login to a shell on a remote host• For executing a single command on a remote
host (replacing rsh)• Secure file transfer • For forwarding or Tunneling• Forwarding X from remote hosts• The list goes on...https://en.wikipedia.org/wiki/Secure_Shell#Usage
![Page 10: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/10.jpg)
SSH and Cyber Espionage
• Duqu Worm – (Nov 2011) Contained instructions to exploit a zero day vulnerability in OpenSSH 4.3 on CentOS systems– After compromising the system the worm then
updated OpenSSH to version 5.8
![Page 11: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/11.jpg)
Speaking of SCADA/SSH...
“Another day, another SCADA threat: ICS-CERT is now warning utilities and other critical infrastructure providers about potential brute-force attacks against control systems with SSH command-line access. “- Kelly Jackson Higgins (darkreading.com)Feb 06, 2012
![Page 12: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/12.jpg)
Basic SSH Usage
![Page 13: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/13.jpg)
Insecurity Issues With Default Client Settings
Make sure your clients (and servers) are strictly using version 2 Or they may be vulnerable to version downgrade attacks!
You can also edit your ssh_config and changethe directive :Protocol 2
![Page 14: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/14.jpg)
Downgrade attacks on SSH Clients
Image From http://openmaniak.com/
Downgrade attacks can be performed with ettercap-ng and ettercap-filters!
![Page 15: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/15.jpg)
Connecting for the first time to an SSH Server: Do you know it’s safe?
http://www.itworld.com/it-managementstrategy/261500/16-ultimate-openssh-hacks
If you’re very paranoid, you’ll want to verify the RSA fingerprint and randomart image with what fingerprint your given when connecting.
To do so: On the server side you’ll have (usually requiring physical access to the Machine) You would need to do this:
sudo ssh-keygen -lvf /etc/ssh/ssh_host_rsa_key.pub
Then on your client side you want to edit your ssh_config file and set this option:
VisualHostKey yes
![Page 16: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/16.jpg)
Connecting for the first time to an SSH Server: Do you know it’s safe?
http://www.itworld.com/it-managementstrategy/261500/16-ultimate-openssh-hacks
One issue with this: “Obviously you need a secure method of getting verified copies of the fingerprint and randomart images for the computers you want to log into. ” - Carla Schroder
![Page 17: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/17.jpg)
One other thing.. Oh yeah Kippo can be ugly..
http://pauldotcom.com/wiki/index.php/Episode194#Tech_Segment:_Capturing_SSH_Credentials
An attacker can capture your SSHv2 credentials using Kippo:
•To do so an attacker needs to be in your local area network or spoofing the IP address or domain name of the SSH server host that the victim is trying to connect to.
•Setup Kippo to listen on the appropriate port
•If needed perform an ARP poisoning attack on the victim.
•Once the victim tries to connect they would most likelyget a mismatching fingerprint. However, with putty, an ignorant or hasty victim could simply click “YES”.
![Page 18: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/18.jpg)
OK I’m connected…am I still safe? Not necessarily - Some versions of the openssh-server daemon will handle password authentication in clear text in memory!
Proof of concept: http://zitstif.no-ip.org/capturessh2.txt
#Tested on SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2 #Tested on SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 #Tested on OpenSSH 5.2 (protocol 2.0) Fedora 11 Need to find the source on this
one!
![Page 19: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/19.jpg)
OK I’m connected…am I still safe? Watch out on your client side:Poor man’s SSH keylogger!
http://blog.diogomonica.com/post/3087360614/poor-mans-ssh-keylogger
![Page 20: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/20.jpg)
Locking Down The Server Side:sshd_config is your friend!
https://www.linux.com/learn/tutorials/305769-advanced-ssh-security-tips-and-tricks
•This may be debatable, but change your ssh server’s listening port to something different than port 22.
• Again.. Make sure your ssh server is strictly using Protocol Version 2
•Do not permit root login!
•Permit/Deny only specific users or groups! (AllowUsers/AllowGroups Directive OR DenyUsers/DenyGroups)
![Page 21: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/21.jpg)
Oh yeah..a quick note on changing the default port for ssh
http://danielmiessler.com/blog/security-and-obscurity-does-changing-your-ssh-port-lower-your-risk
![Page 22: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/22.jpg)
Oh yeah..a quick note on changing the default port for ssh
![Page 23: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/23.jpg)
Locking Down The Server Side:sshd_config is your friend!
https://www.linux.com/learn/tutorials/305769-advanced-ssh-security-tips-and-tricks
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
•Disable PasswordAuthentication and authenticate only using keys
•Configure an Idle Log out time period (ClientAliveInterval XXX )
•Limit what interface/addresses SSHD binds to
•Limit the amount of authentication tries (MaxAuthTries )
![Page 24: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/24.jpg)
Locking Down The Server Side:sshd_config is your friend!
https://www.linux.com/learn/tutorials/305769-advanced-ssh-security-tips-and-tricks
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
http://www.uptimemore.com/password-retry-limits-ss.html
•Change the login grace time (LoginGraceTime)
•Oh yeah… disable empty passwords (Duh..) (PermitEmptyPasswords no)
![Page 25: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/25.jpg)
Locking Down The Server Side:Programs to help you lock down your server
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
•If applicable use iptables (or pf) to permit/deny specific IP addresses/ranges
List of programs to help ward off dictionary attacks/brute force attacks on http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html(#16)
•Setup port-knocking!
![Page 26: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/26.jpg)
Quick tips for speeding up SSHD loginsshd_config is your friend!
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
•Disable server side DNS look-ups if you don’t need it. (UseDNS No)
If you’re not using PAM with SSH then disable PAM(UsePAM No)
![Page 27: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/27.jpg)
Client side configuration tipsssh_config is your friend!
http://www.evilsoft.org/2009/10/23/stupid-ssh-config-tricks
Are you sick of constantly typing in your passwords (if you’re using passwords) when doing additional connections when you’ve already authenticated to your ssh server?
Solution: Add this to your ssh_config file Host *ControlPath ~/.ssh/master-%r@%h:%pControlMaster auto
![Page 28: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/28.jpg)
Client side configuration tipsssh_config is your friend!
http://codeutopia.net/blog/2011/07/08/why-did-nobody-ever-tell-me-about-ssh_config/
Save yourself some keystrokes!
ssh –C –D 1234 [email protected] -p 5432
Edit your ssh_config file to something like this:
Host example example.comHostName example.com User userPort 5432
DynamicForward 1234 Compression Yes
Now you only need to type:ssh example
![Page 29: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/29.jpg)
Client side configuration tipsssh_config is your friend!
Are there any options to check for DNS spoofing?
YES!
CheckHostIP Yes
This will force ssh to do an additional check in the known_hosts file for the IP address of the server.
![Page 30: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/30.jpg)
For more information on configuring sshd_configand ssh_config, please see:
man sshd_config && man ssh_config
![Page 31: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/31.jpg)
Now for those beautiful client-sided one liners…(top 10 one liners from commandlinefu.com)
1
2
3
4
5
![Page 32: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/32.jpg)
Client-sided one liners…(top 10 one liners from commandlinefu.com)
6
7
8
![Page 33: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/33.jpg)
9
10
Client-sided one liners…(top 10 one liners from commandlinefu.com)
![Page 34: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/34.jpg)
Client-sided one liners…(more awesome one liners from commandlinefu.com)
![Page 35: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/35.jpg)
Client-sided one liners…(more awesome one liners from commandlinefu.com)
![Page 36: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/36.jpg)
For more awesome one-liners from commandlinefu.com:
![Page 37: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/37.jpg)
More awesome one-liners:http://diogomelo.net/blog/10/ssh-tricks
Don’t want to expose remote desktop via your firewall? You can still use it through ssh!:ssh –L 3389:192.168.1.100:3389 [email protected]
Put the ssh client in a very verbose mode for troubleshooting/debugging:ssh –vvv [email protected]
http://linuxaria.com/howto/trucchi-con-ssh?lang=en
![Page 38: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/38.jpg)
More awesome one-liners:
http://www.linuxjournal.com/article/6602?page=0,1
http://unix.stackexchange.com/questions/2302/can-i-pipe-dev-video-over-ssh
Pipe webcam over ssh:
![Page 39: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/39.jpg)
Client-sided one liners: Fun with the ‘-t’ option
Any programs that need a pseudo terminal screen to work and you need run quickly, use -t.
Examples:
ssh –t [email protected] “python”ssh –t [email protected] “irb”ssh –t [email protected] “ssh [email protected]”ssh –t [email protected] “msfconsole” ssh –t [email protected] “screen”ssh -t [email protected] “vi”
![Page 40: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/40.jpg)
Client-sided one liners: Fun with reverse connections
Don’t have metasploit or any fancy info-sec security tools on your device that is connected to a LAN, but this device still has an SSH client on it?
NO PROBLEM!
Target host: 192.168.1.102Target port: 445Payload port: 4444
ssh –t –R 192.168.1.102:445:127.0.0.1:4445 –R 192.168.1.102:4444:127.0.0.1:4444 [email protected] “msfconsole”
Then through metasploit on your remote host you would point your attacks towards your loopback interface
![Page 41: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/41.jpg)
Client-sided one liners (Poor man’s VPN/proxy)
This will bind a SOCKS server to port 9050 on the interface 192.168.1.100
![Page 42: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/42.jpg)
Client-sided one liners (Poor man’s VPN/proxy)
OK big deal.. I know that.. What’s special about it?
![Page 43: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/43.jpg)
Client-sided one liners (Poor man’s VPN/proxy)
What this means:
•You can now tunnel traffic securely between you the client, and example.com• If example.com’s subnet is 10.1.10.255, you can now access resources in that subnet via your tunnel, hence why this is a poorman’s VPN.•You can use programs like proxychains in tandem with SOCKS•NOTE: example.com’s hosts file (/etc/hosts) does affect the DNS name resolution of the SOCKS client
![Page 44: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/44.jpg)
Client-sided one liners (Poor man’s VPN/proxy) Programs that play nicely with proxychains:
rdesktopnetcatsocatnmap hpingtelnetopenvasnessushydrawgetsshmetasploit (though not needed) (set Proxies socks5:localhost:1234) ncrack...(The list goes on)
Almost any application that works on *nix and relies on TCP/IP
![Page 45: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/45.jpg)
Ways of setting up sshd the quick and dirty way…
Scenario 1:
Are you doing a pentest and you’re able to find a router that is compatible with openwrt or dd-wrt?
Upload it! Most versions of openwrt and dd-wrt support SSHD
Scenario 2:
You’ve popped a shell on a Windows box and you’d like to setup an SSHD server:
Copssh_3.1.4_Installer.exe /S
Copssadm --command activeuser –user USERNAME –shell /bin/bash
![Page 46: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/46.jpg)
Ways of setting up sshd the quick and dirty way…
Meterpreter from the metasploit project now has a meterpreter script that can deploy an openssh server on Windows victims. (I must admit, the few times I’ve tried it, it has never worked for me!)
![Page 47: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/47.jpg)
SSH and Window$SSH Clients on Windows:Putty, plink, psftp, ssh (cygwin) (there are a bunch.. http://en.wikipedia.org/wiki/Comparison_of_SSH_clients#Platform)
Probably one of the best guides for installing Cygwin w/ an openssh server on Windows:http://pigtail.net/LRP/printsrv/cygwin-sshd.html
NOTE: Follow the steps very closely!
Minimal/Easy Install options of cygwin with sshd: http://sshwindows.sourceforge.net/https://www.itefix.no/i2/copssh
For X11 forwarding over SSH, Install Xming and use putty: http://sourceforge.net/projects/xming/
![Page 48: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/48.jpg)
Examples of languages that you can use for automating SSH:
Programming/Automating SSH
![Page 49: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/49.jpg)
Python Example:
Programming/Automating SSH
Very good guide on paramiko: http://jessenoller.com/2009/02/05/ssh-programming-with-paramiko-completely-different/
![Page 50: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/50.jpg)
Very good guide for getting around with IPv6 and show examples of SSH usage:
http://www.enterprisenetworkingplanet.com/netsp/article.php/3634596/Getting-Around-IPv6.htm
Things to check:
•Use ping6 to ping at least your lookback interface ::1•Use ping6 to ping ipv6 domain names: (i.e. ipv6.google.com)•Make sure your IPV6 server is setup to listen on an IPV6 address (NOTE: 0.0.0.0 in IPV6 is ::: )
Simple example using ssh and ipv6:
ssh user@2001:4860:800a::93
SSH and IPV6
![Page 51: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/51.jpg)
Live Demo: SSH/Miredo/IPV6
Thanks Mubix! (http://www.room362.com/blog/2010/9/24/revenge-of-the-bind-shell.html )
![Page 52: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/52.jpg)
Questions?
?
![Page 53: Presentation nix](https://reader035.vdocument.in/reader035/viewer/2022081513/555a082fd8b42aa8098b539e/html5/thumbnails/53.jpg)
FIN!
Postscript: man ssh