SSH Penetration Testing (Port 22)

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work, one is required to keep their port open but at the same time, they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open. In this post, we will discuss penetration testing of SSH which is also known as Secure Shell.

Table of content

  • Introduction to SSH
  • SSH Installation
  • SSH Port Scanning
  • Methods to Connect SSH
    • Terminal Command (Linux)
    • Putty (Windows)
  • Port Redirection
  • Establish SSH connection using RSA key
  • Exploit SSH with Metasploit
    • SSH Key Persistence- Post Exploitation
    • Stealing the SSH key
    • SSH login using pubkey
  • SSH Password cracking

Introduction to SSH

The SSH protocol also stated to as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

SSH Installation

It very easy to install and configure ssh service, we can directly install ssh service by using the openssh-server package from ubuntu repo. To install any service you must have root privilege account and then follow the given below command.

when you will execute above command it will extract the package the install the default configure on the host machine. you can check open port with the help of netstat command on the host machine.

SSH Port Scanning

If you don’t have direct access to the host machine, use nmap to remotely identify the port state that is considered to be the initial step of the penetration test. Here we’re going to use Kali Linux to perform a penetration testing.

So, to identify an open port on a remote network, we will use a version scan of the nmap that will not only identify an open port but will also perform a banner grabbing that shows the installed version of the service.

Methods to Connect SSH

Terminal Command (Linux)

Now execute the following command to access the ssh shell of the remote machine as an authorized user. Username: ignite

Password: 123

Putty (Windows)

Step1: Install putty.exe and run it, then enter the HOST IP address <192.168.1.103> and port <22>, also choose to connect type as SSH.

Step2: To establish a connection between the client and the server, a putty session will be generated that requires a login credential.

Username: ignite

Password: 123

Port Redirection

By default, ssh listen on port 22 which means if the attacker identifies port 22 is open then he can try attacks on port 22 in order to connect with the host machine. Therefore, a system admin chooses Port redirection or Port mapping by changing its default port to others in order to receive the connection request from the authorized network.

Follow the below steps for port redirection:

Step1: Edit the sshd_config from inside the /etc/sshd using the editor

Step2: Change port 22 into 2222 and save the file.

Step3: Then restart ssh

Port Redirection Testing

Thus, when we have run the scan on port 22, it has shown port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen the given image.

Establish SSH connection using RSA key

Strong passwords don’t seem to be decent to secure the server because a brute force attack can crack them. That’s why you need an additional security method to secure the SSH server.

SSH key pairs is another necessary feature to authenticate clients to the server. It consists of a long string of characters: a public and a private key. You can place the public key on the server and private key on the client machine and unlock the server by connecting the private key of the client machine. Once the keys match up, the system permits you to automatically establish an SSH session without the need to type in a password.

Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.

Thus, we will follow the steps for generating a key pair for authenticated connection.

Step1: Run the given command to generate an ssh key pair (id_rsa and id_rsa.pub) on the host machine Ubuntu.

Step2: Same should be done on the client machine which is authorized to establish the connection with the host machine (ubuntu).

Step3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as show in the given image.

Step4: Share the authorized_keys with the host machine by copying it into the .ssh directory.

Step5: Edit the sshd_config from inside the /etc/sshd using the editor

Step6: Enable the “passwordauthentication no” comment

As a result of only the authorized machine which rsa key can establish a connection with the host machine without using password.

Now if you need to connect to the ssh server using your password username, the server will drop your connection request because it will authenticate the request that has authorized key.

Step7: Copy the id_rsa key from Kali Linux to the windows machine, to established connection using authorized keys on the windows machine,

Step8: Install puttygen.exe

Step 9: Run puttygen.exe and load the id_rsa and “save as key” named as Key

Step10: Use putty.exe to connect with the host machine by entering hostname 192.168.1.103 and port 22.

Step11: Navigate to SSH >auth and browse the key private key that you have saved as mention in step 9.

This will establish an ssh connection between windows client and server without using a password.

Exploit SSH with Metasploit

SSH Key Persistence- Post Exploitation

Consider a situation, that by compromising the host machine you have obtained a meterpreter session and want to leave a permanent backdoor that will provide a reverse connection for next time.

This can be achieved with the help of the Metasploit module named “SSH Key Persistence-a post exploit” when port 22 is running on the host machine.

This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.

As can be seen in the image given, it added authorized keys to /home / ignite/.ssh and stored a private key within /root/.msf4/loot

As we ensure this by connecting the host machine via port 22 using a private key generated above. Here I have renamed the private as “key” and gave permission 600.

Bravo!! It works without any congestion and in this way, we can use ssh key as persistence backdoor.

Stealing the SSH key

Consider a situation, that by compromising the host machine you have obtained a meterpreter session and port 22 is open for ssh and you want to steal SSH public key and authorized key. This can be done with the help Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as discussed below.

This module will collect the contents of all users .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.

From given below image you can see we have got all authorized keys store in /home/ignite/.ssh directory in our local machine at /root/.msf4/loot and now use those keys for login into an SSH server.

This can be done manually by downloading keys directly from inside /home/ignite/.ssh as shown in the below image.

As we ensure this by connecting the host machine via port 22 using private key downloaded above. Let’s change the permission for the rsa key and to do this follow the step given below.

It works without any congestion and in this way, we can use ssh key as persistence backdoor.

SSH login using pubkey

Considering you have id_rsa key of the host machine and want to obtain meterpreter session via Metasploit and this can be achieved with the help of the following module.

This module will test ssh logins on a range of machines using a defined private key file and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory.

This will give a command session which can be further updated into the meterpreter session by executing the following command.

SSH Password cracking

We can test a brute force attack on ssh for guessing the password or to test threshold policy while performing penetration testing on SSH. It requires a dictionary for username list and password list, here we have username dictionary “user.txt” and password list named “pass.txt” to perform the brute force attack with the help of hydra

As a result, you can observe that the host machine has no defence against brute force attack, and we were able to obtain ssh credential.

To protect your service against brute force attack you can use fail2ban which is an IPS. Read more from here to setup fail2ban IPS in the network.

If you will observe the given below image, then it can see here that this time the connection request drops by host machine when we try to launch a brute force attack.

SSH Public Key Login Scanner

This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory. Only a single passphrase is supported, however, so it must either be shared between subject keys or only belong to a single one.

As a result, you can observe that user “ignite” is authorized to use the public to connect with ssh of the host machine.

SSH User Code Execution

This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. Thus we gave host IP along with username and password, if everything goes in right then we get meterpreter session on our listening machine.

as a result you can observe that we have meterpreter session of the host machine.

Conclusion: In this post, we try to discuss the possible way to secure SSH and perform penetration testing against such a scenario.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Defend against Brute Force Attack with Fail2ban

Daily we hear some news related to cybercrime just, like, some malicious users or bots have successfully defaced some publicly accessible websites or some services. As we always try to explain through our articles, how such types of activities are possible when the system is weakly configured or misconfigured. It is therefore important to build some security measures, such as IDS / IPS in the firewall, to defend your server and clients while configuring it.

In this article, we will show how you can protect your network from brute force attacks and running network services?

The answer is: Using IPS in your network.

Table of Content

  • What is an IPS?
  • Introduction to fail2ban
  • Lab Setup Requirement
  • Brute Force Attack in Absence of IPS
  • Intrusion Prevention Lab Set-Up
  • Configure Fail2Ban
  • Protect SSH Against Brute Force Attack
  • Testing Fail2ban
  • How to unban IP in fail2ban for SSH
  • Protect FTP against Brute Force Attack
  • Testing Fail2ban for VSFTP
  • Unban IP for VSFTPD

What is an IPS?

Intrusion Prevention System is short-term as IPS, it networks security measures to examine the incoming traffic to perform intrusion detection and then block the detected incidents. For example, IPS can drop malicious packets, ban the traffic coming from an offending IP address.

Introduction to fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and ban IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

In this article, I will discuss how to prevent your running services against brute force attack using fail2ban.

Source: https://www.fail2ban.org/wiki/index.php/Main_Page

Lab Setup Requirement

Victim’s Machine: Ubuntu 14.04  (192.168.0.105)

Pentester’s Machine: Kali Linux (192.168.0.105)

Brute Force Attack in Absence of IPS

Now let’s try to launch a brute force attack when on port 22 which is open in the target’s network to make unauthorized login. With the help hydra, we will try to guess SSH login credential.

As you can observe in the above image that it has successfully found aarti:123 for ssh login. Similarly, let’s try to launch a brute force attack when on port 21 which is open in the target’s network to make unauthorized login. With the help hydra, we will try to guess FTP login credential.

And from the given below image, you can observe, how badly these services are configured. Even the network administrator has not followed the password complexity rules as a result, it is so easy to launch a brute force against such type of network.

Intrusion Prevention Lab Set-Up

Therefore, I decided to set up the Intrusion Prevention system in this network which will monitor the incoming packets and detects the malicious activities and blocks that traffic coming from wicked IP. It is very easy to install fail2ban as Ubuntu already has a package for fail2ban in apt-repositories.

First of all, let me show you, the iptables rule list, which is empty as shown in the below image and then executes the installation command. Once it gets completed, then copy the configuration of jail.conf file inside jail.local file.

NOTE: While configuring fail2ban in your local machine, you must have root access or can use a non-root user with sudo rights.

Configure Fail2Ban

The service fail2ban has its default configuration files “jail.local” in the /etc/fail2ban directory, therefore, you should not edit this file, but you can override this into jail.local file with the help of below command and then open that file for configuring it as per your requirement.

Above you have seen that we had successfully launched brute force attack on SSH and FTP, therefore I will configure fail2ban to stop brute force attack in the network.

Once the file gets opened you need to focus a few things such as “ignoreip, bantime, maxretry” and then modify their value as per your requirement. Set the IPs you want fail2ban to ignore as ignoreip, set the ban time (in seconds) for a particular time period and maximum number for the user attempts.

Protect SSH Against Brute Force Attack

Ultimately, we come towards that portion of the configuration file which deals with specific services. These are identified by the section headers, such as [ssh].

To enable each of these sections to uncomment header [ssh] and modify the enabled value into “true” as shown in the below image, and then save the jail.local file and restart the fail2ban service:

Testing Fail2ban for SSH

Fail2ban offers a command “fail2ban-client” that can be used to execute Fail2ban from the command line, to check that the Fail2Ban is running and the SSH jail is enabled you can follow the given syntax to confirm its status.

Syntax: fail2ban-client COMMAND

As you can observe, the current filter list and action list is set as 0 or all I can say, it is empty. These values will get change if someone tries to cross the limit of maxretry.

As said above fail2ban will update iptables rules to reject the IP addresses for a specified amount of time and from the given below image you can observe, last 3 policies are automatically created by fail2ban.

Now let’s test host machine against brute force attack for ssh login once again:

And as you can obverse, this time we got “Connection refused” error while brute forcing attack on port 22.

Hmm!! Not bad, let’s also check the status for ssh jail status after this attack.

Now you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can explore log file too for more details.

How to unban IP in fail2ban for SSH

If you wish to unban the IP then again, you can go with fail2ban-client commands and do the same as done here:

And when you will check ssh jail status one more time, this time it won’t be showing any IP in the IP list.

Protect FTP against Brute Force Attack

Similarly, to enable FTP sections to uncomment [vsftpd] header and change the enabled line to be “true” as shown in the below image and even you can modify maxretry or log file path as per your requirement.

[vsftpd]

enabled = true

maxretry = 3

Testing Fail2ban for VSFTPD

Now save jail.local file and restart the fail2ban service and then you can check fail2ban and its Jail status including iptables rules.

With the help of the above command, we concluded that now there are two jails: ssh and vsftpd and also some new fail2ban policies have been created within iptables.

Now let’s test host machine against brute force attack for FTP login:

And as you can obverse, this time we got connection refused error while brute force attack and let’s check status for vsftpd jail status once again.

Yet again you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can check log file too for more details.

And look at the vsftpd log file, contains all detailed related to login attempt.

Unban IP in fail2ban for VSFTPD

If you wish to unban or unblock the IP then again, you can go with fail2ban-client commands and do the same as done here:

And when you will check vsftpd jail status once again, this time it won’t be showing any IP in the IP list.

Hope! You people will enjoy the article and find helpful in your network penetration testing and you can do more with fail2ban for securing your network.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Magic Unicorn – PowerShell Downgrade Attack and Exploitation tool

Magic Unicorn is a simple tool for using a PowerShell downgrade attack that injects shellcode straight into memory. It is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Table of Contents

  • Powershell Attack Instruction
  • HTA Attack Instruction
  • Macro Attack Instruction

 Download the unicorn tool from the git repository:

Once downloaded, go in the directory and run unicorn with the following command to see all the possible methods.

 

Powershell Attack Instructions

First, we will try the reverse_tcp payload. As we can see in the main menu all the commands are already written. We just need to replace the IP with our IP.

 

Now this will give us two files. One is a text file named “powershell_attack.txt” which has the PowerShell code that will be run in the victim’s machine using social engineering and the other is “unicorn.rc” which is a custom Metasploit file that will automatically set all the parameters and start a listener.

These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get a reverse connection of his machine.

Now let’s set up a listener first. We need to run the Metasploit “unicorn.rc” file using the following command:

We see a session was obtained in the meterpreter. It was because the PowerShell code was executed in the victim’s command shell. It would have looked something like this:

HTA Attack Instructions

For our next attack, we will be using an HTA payload.

Now convert your IP in bit.ly URL form and send to the victim and then wait for the user to click on the “launcher.hta” file which could be done using social engineering easily.

So, we set up a Metasploit listener next using the RC file and wait for the user to click on the hta payload.

As soon as he ran the file, we received a meterpreter session. We checked the system info using the sysinfo command.

 

Macro Attack Instructions

Now for the third and final payload for this tutorial, we set hands on our beloved macros.

This again creates a text file and a “.rc” file with the same name and on the same destination.

To enable developer mode there are various methods depending upon your version of MS office.

As for a generic approach, let’s say you enabled it like:

File->properties->ribbons->developer mode

You will see an extra tab labeled developer once it gets enabled.

As for the attack, go to developer->macros and create a new macro named “Auto_Open”

Simply paste the contents from “powershell_attack.txt” to this xlsx module and save it.

As soon as you click run (little green icon on the top), it will give you an error! Don’t worry! You want that error. It is supposed to happen.

Soon after the error on the user screen, we would have obtained a session successfully in meterpreter!

Use sysinfo double check our successful exploitation using unicorn!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here