5. And in the real world......
Web directory traversal
6. And in the real world......
Extract valid users
Brute –force.....well sort of!
*And yes......i did priv esc to root
7. ssh for pen-testers
ssh
putty
scp / pscp
ssh authentication
hardening the ssh daemon
ssh & MiTM
Tunnelling
X11 Tunnelling
ssh-agent
Only dealing with ssh, appreciate that iptables, tcpwrappers (hosts.allow /
hosts.deny), fail2bin and even port-knocking can and “should” be used!
8. ssh – secure shell
We all use ssh / putty?
We all know why we use ssh / putty?
Telnet - rubbish ssh – much better
9. putty
PuTTY is a free and open source terminal emulator application which can act as a
client for ssh…and a hell of a lot more too!
PuTTY – the ssh client;
PSCP - an scp client, i.e. command-line secure file copy;
PSFTP - an sftp client, i.e. general file transfer sessions much like ftp;
Plink - a command-line interface to the PuTTY back ends;
Pageant - an SSH authentication agent for PuTTY, PSCP and Plink;
PuTTYgen - an rsa and dsa key generation utility.
10. scp / pscp
A secure way of transferring files from hosts, exactly the same
syntax as cp.
Copying file to a host:
scp SourceFile user@host:directory/TargetFile
Copying file from host
scp user@host:/directory/SourceFile TargetFile
11. scp / pscp
PuTTY too has a version of scp – namely pscp, which will allow you
to shift files from a windows box to your *nix box (and vice-versa)
12. scp / pscp
An example of pscp:
*Notice the second command has an agent parameter and no password!
13. ssh authentication
Two main methods of authentication.....there are more (Kerberos
related etc) but these are what I typically see:
Enable verbosity (-v) while connecting and you can see the
authentication mechanisms:
14. Password authentication (tunnelled clear-text)
This is enabled by default and brute-force’able
Of the many options in sshd_config, this is one of the most
important and most overlooked.
15. Something I’ve Been Working On........
Script to test a list of given hosts for given creds.
Loads of work to do on this, but its a start!
16. Password authentication
I sometimes see keyboard-interactive
To disable:
- ChallengeResponseAuthentication no
- UsePam no
18. Publickey Authentication
Public-key authentication lets you prove your identity to a remote
host using a cryptographic key instead of a login password.
This method is orders of magnitude harder to brute-force than a
password.
22. Authorized_keys file
AuthorizedKeys file specifies the file containing public keys for
public key authentication; if none is specified, the default is
~/.ssh/authorized_keys.
Additional security / options can be added here:
Loads of Options here:
- Command=“command” – useful for backups / dumps etc
- No-x11-forwarding
- No-port-forwarding
- No-agent-forwarding
23. from (man authorized_keys)
from=“pattern”
- The purpose of this option is to optionally increase security:
public key authentication by itself does not trust the network
or name servers or anything (but the key); however, if
somebody somehow steals the key, the key permits an
intruder to log in from anywhere in the world. This additional
option makes using a stolen key more difficult.
24. from
Change ip address to a value that isn't mine:
If password authentication is still enabled will default to this method
of authentication; otherwise,
25. Re-cap
Now we have public key authentication sorted:
- Create public / private key (ssh-keygen)
- [secure] copy publickey to host (scp/pscp/ssh)
- Add publickey to remote authorized_keys file
- Consider additional security through authorized_keys file
- Disable password authentication in sshd_config*
- Bounce the sshd service
1. /etc/init.d/ssh restart
2. kill –HUP `cat /var/run/sshd.pid`
26. Hardening sshd
Typically, this is held in /etc/ssh/sshd_config*
Loads of options here to “increase security”, I'll concentrate on a few key ones here
(see man sshd_config for all options)
- PermitRootLogin (H)
- PermitEmptyPasswords (H)
- PasswordAuthentication (M)
- AllowUsers (M)
- Protocol (M)
- MaxAuthTries (M)
- Port (good for thwarting bots e.g. dd_ssh)(L)
*I’ve not included any info on the client config file (/etc/ssh/ssh_config)
30. ssh tunnelling
[ssh] tunneling is a way to tunnel insecure protocols through a
secure communication channel.
It can also be used to bring into focus devices behind a NAT’ed
device.
These tunnels can either be Local or Remote:
- An SSH Local Forward is a tunnel from your local machine through the
SSH server.
- An SSH Remote Forward is a tunnel from the remote machine through
the SSH client.
*this assume the default sshd_config of AllowTcpForwarding is set to
yes, which is default.
31. ssh tunnelling – local example
192.168.1.4:445
Ubuntu
192.168.1.3:445
Windows 2k3
Encrypted Tunnel
127.0.0.1:445
37. ssh tunnelling (PuTTY)
Open an ssh session as normal, this will create the tunnel:
Open RDP and tunnel through our Linux box to the remote
windows server:
39. X11 Tunnels
Traffic between an X server and remote X clients is not encrypted
by default.
X11 tunnels are similar to regular tunnels. The only difference is
that when you ssh into a remote machine, ssh sets up the
DISPLAY environment variable so it points back to the machine you
are sitting at.
42. ssh-agent
ssh-agent is a program to hold private keys used for public key authentication (RSA,
DSA).
Why the eval?
43. ssh-agent
Running ssh-agent by its self isn't enough; you also need to set some environmental
variables, for binding to ports etc.
Being lazy, I run eval `ssh-agent`
44. Locking The Agent
It is possible to list the publickey attributes (ssh-add –L), which isn't ideal
– fortunately, you can lock the agent to give nothing away!!
Lock agent
Un-lock agent
45. PuTTY Agent
As you’d expect, putty has its own version of the agent, pageant.
Add your private key to the agent and, as discussed earlier you can
ssh-in, scp with out a password etc etc.
46. Conclusion
ssh / putty is awesome, but by no means perfect!
It can be made nails, and we, as pen-testers, should make
appropriate recommendations around its use....and use it in a
secure fashion ;-)
Assuming you have permission, don’t forget to brute-force ssh.