Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
416 lines (270 sloc) 10.4 KB

Effective SSH usage for Pentesters

This is a beginner level session to train you into using SSH more effectively.

While pentesters may benefit (especially if they are planning on doing a time based exam like OSCP), this should be useful for anyone who has a need to login to servers using a Secure SHell.

OpenSSH is an opensource implmentation of the SSH protocol

Getting Started

Login to the server

You need the following four things

  1. SSH Client software
  2. Username that you are trying to login as
  3. Hostname/IP address of that server
  4. Password of the username you are trying to login as

To access the servers you will need the following

Name of the host IP Adress
sshserver100 192.168.1.100
sshserver200 192.168.1.200

About lack of password security

For the duration of this workshop, the password for all users are passpass. This is just to ensure that we don't waste in any time in trying to remember the passwords.

Important to note

Also if a command says user, you need to substitute it with your first name in lower case.

With the above pieces in place

SSH Login

ssh <USERNAME>@<HOSTNAME/IP>

Try now

ssh user@192.168.1.100
user@192.168.1.100's password:

Providing a different user

Try giving the username with -l flag

ssh -l <USERNAME> host/ip

Providing a different port

What if SSH service is not listening on the standard ports?

ssh -l akash -p 2222 192.168.1.200

Executing the command and capturing the output

output=$(ssh akash@192.168.1.100 ls -ltra)
echo $output

Try out the following commands and capture the output for both the servers

  • id
  • ifconfig
  • netstat -nltup
  • ps aux
  • iptables -L

Becoming Productive

We realise quickly that typing the password so many times means that we can't automate and script things. And it is boring! So now we will do two things to make us really productive

  1. Use a configuration file to maintain how we want to use our SSH commands
  2. Add an identity file for public/private key authentication

Using a configuration file

A default configuration file can be created in ~/.ssh/config path.

For this workshop we will not mess with that.

Make a new directory effective-ssh-usage-for-pentesters in your laptop.

mkdir effective-ssh-usage-for-pentesters
cd effective-ssh-usage-for-pentesters

Open your favourite text editor and create a new file called null-puliya-ssh-config

This is a simple text file. Configurations can be on a per-host basis.

Lets add a new host

Host server100

While it is not required, convention is to indent the various server blocks.

Add a hostname or ip address for that host

Host server100
    Hostname 192.168.1.100

Add a username

Host server100
    Hostname 192.168.1.100
    User user

We can add two more useful configurations

Primarily to ensure that our connection stays alive for long we can add the following two configuration options

  • ServerAliveInterval 30
  • ServerAliveCountMax 10

If you want to understand what these two do and also look up more options man 5 ssh_config

Final output

Host server100
    Hostname 192.168.1.100
    User akash
    ServerAliveInterval 30
    ServerAliveCountMax 10

Using our custom config file

ssh -F null-puliya-ssh-config server100

This is exactly where we were when we started.

If you wanted to add the options to the original command line this is what the command would look like

ssh -l user 192.168.1.100 -o ServerAliveInterval=30 -o ServerAliveCountMax=10

Five minutes to go over other configuration options

For SSH clients

man 5 ssh_config

For SSH server

man 5 sshd_config

Using an identity file

Generating a public/private key pair

Many options. For today we will do the following ones

  1. RSA
  2. Twisted Edwards Curve

DSA is not recommended anymore. So is a RSA keysize smaller than 4096

RSA (Older way, but more compatible)
ssh-keygen -t rsa

Pay attention to the output

Generating public/private rsa key pair.
Enter file in which to save the key (/path/to/home/dir/.ssh/id_rsa):

For now we don't want to save in the default place so give it a descriptive name.

server100rsa

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

For the duration of this workshop, the phasephrases for all identities are passpass. This is just to ensure that we don't waste in any time in trying to remember the passwords.

Two files will be generated.

server100rsa.pub and server100rsa

If you don't want the public key to leak your laptop username and hostname use this command

ssh-keygen -t rsa -C "null-puliya"
Ed25519 (What you should be using)
ssh-keygen -t ed25519 -f server100ed -Npasspass -C "null-puliya-ed25519"
Flags Comment
-t Type of key for identity
-f File name of the identity key pair
-N Passphrase that will secure the secret key
-C Comment which is added to the public part of the key pair

Two files will be generated.

server100ed.pub and server100ed

How do we use this identity to login passwordlessly

Two steps need to happen

Step Remark
1 We need to copy the public key file to the server
2 We need to use the private key file when we try to login to the server, after step 1
Step 1

See if you have the following command in your client

ssh-copy-id if yes then this command

ssh-copy-id -n -i server100ed.pub user@192.168.1.100

This is a dry run. Shows you exactly what will be copied. If we are happy run the command without -n.

ssh-copy-id -i server100ed.pub user@192.168.1.100

Any one who didn't get that command? I will demonstrate the other way of copying

Step 2

Now that we have copied our public part of the key pair successfully how do we use it?

In a command

ssh -l akash -i server100ed 192.168.1.100
Enter passphrase for key 'server100ed':

Logged in

Update null-puliya-ssh-config file to include two new directives

Host server100
Hostname 192.168.1.100
User akash
ServerAliveInterval 30
IdentityFile server100ed
IdentitiesOnly yes

Now lets try

ssh -F null-puliya-ssh-config sshserver100

We just traded entering our password every time with now having to enter a passphrase every time!! #@#$@#$!!!!

Lets make sure that this time when we enter the passphrase our SSH client remembers this till we reboot the laptop. This is done using an SSH agent

ssh-add `pwd`/server100ed

To list all the added identities

ssh-add -l

To delete an identity so that we get asked for the passphrase again

ssh-add -d `pwd`/server100.pub

Try to login to the server now

ssh akash@192.168.1.100

Or with config file

ssh -F config null-puliya-ssh-config sshserver100

Becoming effective

Being able to use config files to login to SSH servers with the appropriate identities, per host configurations etc. is just the starting point of becoming effective.

The following kinds of activities become simple once you have the basics in place

  1. Secure copy of files and folders to and from servers
  2. Using one server as a jump box to another server
  3. Using a server as a SOCKS proxy to send all data through it

Secure copying of files

Let us copy a folder from the server

scp -F null-puliya-ssh-config -r sshserver100:/usr/local/share/wordpress-files wordpress-files
scp <SSH-RELATED-CONFIG> -r <SOURCE> <DESTINATION>

We can always have source as local and destination on the server. We just need to ensure that we have adequate permission to write to the path we want to write to

Lets copy the wordpress-files to our home directory on the server

scp -F null-puliya-ssh-config -r wordpress-files sshserver100:.

Here sshserver100:. translates into user@HOST and the . after the colon translates into current directory.

If you are confused, ask yourself this question. What is the directory I am in when I have just logged in to the server

Using a computer as a jumpbox

ssh -t -F null-puliya-ssh-config -A sshserver100 ssh 192.168.1.200 -p 2222

Using the configuration file

Host sshserver100
    Hostname 192.168.1.100
    User akash
    ServerAliveInterval 30
    ServerAliveCountMax 10
    IdentityFile server100ed
    IdentitiesOnly yes
Host sshserver200
    Hostname 192.168.1.200
    #ProxyJump ssh akash@192.168.1.100:22
    ProxyCommand ssh -W %h:%p akash@192.168.1.100
    User akash
    Port 2222
    ServerAliveInterval 30
    ServerAliveCountMax 10

Now we can simply run this command

ssh -F null-puliya-ssh-config sshserver200

Did you notice we are being asked for the password for the second server. Remember ssh-copy-id

ssh-copy-id -i server100ed.pub akash@192.168.1.200 -p 2222

Now try again

ssh -F null-puliya-ssh-config sshserver200

References

Proxies and Jump Hosts

A great reference for this topic is OpenSSH Cookbook - Proxies and Jump Hosts

Capturing Output and Input

OpenSSH Cookbook - Remote Processes

Misc

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.