SSH
1
2
3
ip a
inet 192.244.143.2/24
ping 192.244.143.3
1
2
3
4
nmap 192.244.143.3
PORT STATE SERVICE
22/tcp open ssh
1
2
3
4
5
6
nmap 192.244.143.3 -sV -O
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
You have 3 chances for passwords.
1
2
3
4
5
6
ssh root@192.244.143.3
yes
Welcome to attack defense ssh recon lab!!
root@192.244.143.3's password: 123
Permission denied, please try again.
root@192.244.143.3's password:
1
2
3
nc 192.244.143.3 22
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6
Protocol mismatch.
1
nmap 192.244.143.3 -p 22 --script ssh2-enum-algos
1
nmap 192.244.143.3 -p 22 --script ssh-hostkey --script-args ssh_hostkey=full
1
2
3
4
5
6
nmap 192.244.143.3 -p 22 --script ssh-auth-methods --script-args="ssh.user=student"
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods: none_auth
1
2
3
4
5
6
7
8
nmap 192.244.143.3 -p 22 --script ssh-auth-methods --script-args="ssh.user=admin"
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| password
1
2
3
4
5
6
7
ssh student@192.244.143.3
student@victim-1:~$ whoami
student
student@victim-1:~$ ls
FLAG
student@victim-1:~$ cat FLAG
SSH Recon: Basic(SSH侦察:基本)
概述
在这个挑战中,我们将了解 SSH 服务器侦察的基础知识。请开始实验并回答以下问题:
问题
- SSH 服务器的版本是多少。
- 使用 netcat 获取横幅并检查 SSH 服务器的版本。
- 获取登录前 SSH 横幅。
- SSH 服务器支持多少个“加密算法”。
- SSH 服务器使用的 ssh-rsa 主机密钥是什么。
- SSH 服务器正在为用户“学生”使用哪种身份验证方法。
- SSH 服务器正在为用户“admin”使用哪种身份验证方法。
- 使用 nmap ssh-run 脚本从 /home/student/FLAG 获取标志。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”来知道 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的解决思路
In this challenge we will look at the basics of SSH server reconnaissance. Please start the lab and answer the following questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
29105: eth0@if29106: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.10/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
29108: eth1@if29109: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:0a:48:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.10.72.2/24 brd 192.10.72.255 scope global eth1
valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# ping 192.10.72.3 -c 4
PING 192.10.72.3 (192.10.72.3) 56(84) bytes of data.
64 bytes from 192.10.72.3: icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from 192.10.72.3: icmp_seq=2 ttl=64 time=0.077 ms
64 bytes from 192.10.72.3: icmp_seq=3 ttl=64 time=0.069 ms
64 bytes from 192.10.72.3: icmp_seq=4 ttl=64 time=0.036 ms
--- 192.10.72.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 72ms
rtt min/avg/max/mdev = 0.036/0.068/0.093/0.023 ms
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# nmap 192.10.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 09:03 UTC
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.000010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
Questions
What is the version of SSH server.
OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# nmap 192.10.72.3 -p 22 -sV -O
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 09:04 UTC
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.000034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Fetch the banner using netcat and check the version of SSH server.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6
1
2
3
4
root@attackdefense:~# nc 192.10.72.3 22
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6
Protocol mismatch.
Fetch pre-login SSH banner.
Pre login banner is use for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2.
1
Welcome to attack defense ssh recon lab!
我们有3次尝试输入密码的机会。
1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# ssh root@192.10.72.3
The authenticity of host '192.10.72.3 (192.10.72.3)' can't be established.
ECDSA key fingerprint is SHA256:dxlBXgBb0Iv5/LmemZ2Eikb5+GLl9CSLf/B854fUeV8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.10.72.3' (ECDSA) to the list of known hosts.
Welcome to attack defense ssh recon lab!!
root@192.10.72.3's password:
Permission denied, please try again.
root@192.10.72.3's password:
Permission denied, please try again.
root@192.10.72.3's password:
root@192.10.72.3: Permission denied (publickey,password).
How many “encryption_algorithms” are supported by the SSH server.
6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
root@attackdefense:~# nmap --script ssh2-enum-algos 192.10.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 09:29 UTC
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (6)
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
What is the ssh-rsa host key being used by the SSH server.
AAAAB3NzaC1yc2EAAAADAQABAAABAQC1fkJK7F8yxf3vewEcLYHljBnKTAiRqzFxkFo6lqyew73ATL2Abyh6at/oOmBSlPI90rtAMA6jQGJ+0HlHgf7mkjz5+CBo9j2VPu1bejYtcxpqpHcL5Bp12wgey1zup74fgd+yOzILjtgbnDOw1+HSkXqN79d+4BnK0QF6T9YnkHvBhZyjzIDmjonDy92yVBAIoB6Rdp0w7nzFz3aN9gzB5MW/nSmgc4qp7R6xtzGaqZKp1H3W3McZO3RELjGzvHOdRkAKL7n2kyVAraSUrR0Oo5m5e/sXrITYi9y0X6p2PTUfYiYvgkv/3xUF+5YDDA33AJvv8BblnRcRRZ74BxaD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@attackdefense:~# nmap 192.10.72.2 --script ssh-hostkey --script-args ssh_hostkey=full
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 09:56 UTC
Nmap scan report for attackdefense.com (192.10.72.2)
Host is up (0.0000040s latency).
All 1000 scanned ports on attackdefense.com (192.10.72.2) are closed
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
root@attackdefense:~# nmap 192.10.72.3 --script ssh-hostkey --script-args ssh_hostkey=full
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 09:56 UTC
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1fkJK7F8yxf3vewEcLYHljBnKTAiRqzFxkFo6lqyew73ATL2Abyh6at/oOmBSlPI90rtAMA6jQGJ+0HlHgf7mkjz5+CBo9j2VPu1bejYtcxpqpHcL5Bp12wgey1zup74fgd+yOzILjtgbnDOw1+HSkXqN79d+4BnK0QF6T9YnkHvBhZyjzIDmjonDy92yVBAIoB6Rdp0w7nzFz3aN9gzB5MW/nSmgc4qp7R6xtzGaqZKp1H3W3McZO3RELjGzvHOdRkAKL7n2kyVAraSUrR0Oo5m5e/sXrITYi9y0X6p2PTUfYiYvgkv/3xUF+5YDDA33AJvv8BblnRcRRZ74BxaD
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB0cJ/kSOXBWVIBA2QH4UB6r7nFL5l7FwHubbSZ9dIs2JSmn/oIgvvQvxmI5YJxkdxRkQlF01KLDmVgESYXyDT4=
|_ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuZlCFfTgeaMC79zla20ZM2q64mjqWhKPw/2UzyQ2W/
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
Which authentication method is being used by the SSH server for user “student”.
none_auth
返回 SSH 服务器支持的身份验证方法。
这属于“侵入性”类别,因为它使用可能无效的用户名启动身份验证。放弃的连接可能会被记录。
1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=student" 192.10.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 10:09 UTC
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.000095s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
|_ Supported authentication methods: none_auth
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
Which authentication method is being used by the SSH server for user “admin”.
publickey, password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@attackdefense:~# nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=admin" 192.10.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 10:11 UTC
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.000064s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
Fetch the flag from /home/student/FLAG by using nmap ssh-run script.
e1e3c0c9d409f594afdb18fe9ce0ffec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@attackdefense:~# nmap -p 22 --script=ssh-run --script-args="ssh-run.cmd=ls -l, ssh-run.username=student, ssh-run.password=''" 192.10.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 10:22 UTC
NSE: [ssh-run] Authenticated
NSE: [ssh-run] Running command: ls -l
NSE: [ssh-run] Output of command: total 4
-rw-r--r-- 1 root root 33 Nov 22 2018 FLAG
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.000069s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-run:
| output:
| total 4\x0D
|_-rw-r--r-- 1 root root 33 Nov 22 2018 FLAG\x0D
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@attackdefense:~# nmap -p 22 --script=ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG, ssh-run.username=student, ssh-run.password=''" 192.10.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-22 10:25 UTC
NSE: [ssh-run] Authenticated
NSE: [ssh-run] Running command: cat /home/student/FLAG
NSE: [ssh-run] Output of command: e1e3c0c9d409f594afdb18fe9ce0ffec
Nmap scan report for target-1 (192.10.72.3)
Host is up (0.000047s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-run:
| output:
|_ e1e3c0c9d409f594afdb18fe9ce0ffec\x0D
MAC Address: 02:42:C0:0A:48:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@attackdefense:~# ssh student@192.10.72.3
Welcome to attack defense ssh recon lab!!
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 5.4.0-121-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Aug 22 10:25:25 2022 from 192.10.72.2
student@victim-1:~$ whoami
student
student@victim-1:~$ pwd
/home/student
student@victim-1:~$ ls
FLAG
student@victim-1:~$ cat FLAG
e1e3c0c9d409f594afdb18fe9ce0ffec
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-526.pdf