SlideShare a Scribd company logo

(Mis)trusting and (ab)using ssh

Tiago Henriques
Tiago Henriques

Bruno Morisson e Herman Duarte (http://pt.linkedin.com/in/morisson /http://pt.linkedin.com/in/hcoduarte) Título: (ab)using SSH - Tips & Tricks for Pentesters and Sysadmins

Technology
1 of 38
Download to read offline
(mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org> Monday, July 2, 12 1
About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte Monday, July 2, 12 2
In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clear Monday, July 2, 12 3
In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4
Enter the Dragon^WSSH Monday, July 2, 12 5
SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2 Monday, July 2, 12 6
Monday, July 2, 12 7
SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8
SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection Server Monday, July 2, 12 9
SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response Password Monday, July 2, 12 10
Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11
If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised! Monday, July 2, 12 12
PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13
DEMO Monday, July 2, 12 14
What if I have a lot of keys, or login a lot ?? Monday, July 2, 12 15
SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16
What if I SSH into other servers ?? Monday, July 2, 12 17
SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18
SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 19
Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authentication Monday, July 2, 12 20
DEMO Monday, July 2, 12 21
Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ? Monday, July 2, 12 22
DEMO Monday, July 2, 12 23
Help us Obi Wan You’re our only hope! Monday, July 2, 12 24
Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for auth Monday, July 2, 12 25
Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26
DEMO Monday, July 2, 12 27
But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :) Monday, July 2, 12 28
DEMO Monday, July 2, 12 29
Paranoia is reality on a finer scale Monday, July 2, 12 30
Monday, July 2, 12 31
Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted Server Monday, July 2, 12 32
Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validation Monday, July 2, 12 33
Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 34
DEMO Monday, July 2, 12 35
Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yes Monday, July 2, 12 36
Live long and prosper Monday, July 2, 12 37
References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38

Recommended

Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authenticationnirmal08
 
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Adil Khan
 
Blockchain - a formal introduction
Blockchain - a formal introductionBlockchain - a formal introduction
Blockchain - a formal introductionSander Demeester
 
Transparent proxy
Transparent proxyTransparent proxy
Transparent proxyMuhammad Iqbal
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
ssh_tricks
ssh_tricksssh_tricks
ssh_tricksvide80
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricksAssem CHELLI
 
Formation ssh
Formation sshFormation ssh
Formation sshNicolas Ledez
 

Recommended

Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authenticationnirmal08
 
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Adil Khan
 
Blockchain - a formal introduction
Blockchain - a formal introductionBlockchain - a formal introduction
Blockchain - a formal introductionSander Demeester
 
Transparent proxy
Transparent proxyTransparent proxy
Transparent proxyMuhammad Iqbal
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
ssh_tricks
ssh_tricksssh_tricks
ssh_tricksvide80
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricksAssem CHELLI
 
Formation ssh
Formation sshFormation ssh
Formation sshNicolas Ledez
 
BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfTiago Henriques
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017Tiago Henriques
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015Tiago Henriques
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
Workshop
WorkshopWorkshop
WorkshopTiago Henriques
 
Enei
EneiEnei
EneiTiago Henriques
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaTiago Henriques
 
Preso fcul
Preso fculPreso fcul
Preso fculTiago Henriques
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 

More Related Content

More from Tiago Henriques

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfTiago Henriques
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017Tiago Henriques
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015Tiago Henriques
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaTiago Henriques
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 

More from Tiago Henriques (20)

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in Switzerland
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Workshop
WorkshopWorkshop
Workshop
 
Enei
EneiEnei
Enei
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 

Recently uploaded

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

(Mis)trusting and (ab)using ssh

  • 1. (mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org> Monday, July 2, 12 1
  • 2. About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte Monday, July 2, 12 2
  • 3. In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clear Monday, July 2, 12 3
  • 4. In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4
  • 6. SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2 Monday, July 2, 12 6
  • 8. SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8
  • 9. SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection Server Monday, July 2, 12 9
  • 10. SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response Password Monday, July 2, 12 10
  • 11. Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11
  • 12. If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised! Monday, July 2, 12 12
  • 13. PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13
  • 15. What if I have a lot of keys, or login a lot ?? Monday, July 2, 12 15
  • 16. SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16
  • 17. What if I SSH into other servers ?? Monday, July 2, 12 17
  • 18. SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18
  • 19. SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 19
  • 20. Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authentication Monday, July 2, 12 20
  • 22. Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ? Monday, July 2, 12 22
  • 24. Help us Obi Wan You’re our only hope! Monday, July 2, 12 24
  • 25. Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for auth Monday, July 2, 12 25
  • 26. Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26
  • 28. But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :) Monday, July 2, 12 28
  • 30. Paranoia is reality on a finer scale Monday, July 2, 12 30
  • 32. Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted Server Monday, July 2, 12 32
  • 33. Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validation Monday, July 2, 12 33
  • 34. Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 34
  • 36. Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yes Monday, July 2, 12 36
  • 37. Live long and prosper Monday, July 2, 12 37
  • 38. References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38