SSH Enumeration

00:00

Alright, Ssh enumeration. We've nearly made it to the end of this module. On network protocols are learning objectives are to understand what Ssh is used for, to demonstrate how to enumerate Ssh and then explain how to port forward with Ssh, which

00:15

it took me a very long time to figure out what that was all about. So I will show you how to do that a little bit later.

00:21

S. S. H. Stands for secure shell. I talked about I have a raspberry pi at home um how I interact with it is through Ssh is just being able to get a shell to a remote system and it's a secure shell. So people used to interact with systems remote systems through telnet, we'll tell that was a clear text protocol

00:40

and as we saw during the wire shark module, if someone sniffing traffic

00:44

and you're doing things in the clear, they could see when you logged in and of course like the first thing that pops up in telnet as with Ssh to ask you for a user name and password. So intel net um what happened was, you know, people would see when people would enter their credentials,

01:00

they could see everything in the clear so they could filch somebody's username and password.

01:06

Thus shh was created to use encryption.

01:11

Um And that's why when I talked about wire Shark and seeing clear text in on port 22 that's a red flag to defenders because ssh is encrypted. So you would not be able to see in clear text what someone was doing on port 22 if they were in fact using Ssh.

01:29

So port 22 is the normal port for this. Like I I talked about I hide mine on my raspberry pi for on port leet.

01:37

Um so it uses encryption so it uses an asymmetric key pair. So asymmetric encryption meaning a public key and a private key, a public key that you share and a private key that you keep private.

01:52

Also as far as shells go and we have a whole block on on shells. But

01:57

as far as shells go, like this is perhaps the best shell better than getting a net cat

02:01

shell, Ssh is great because you can use tab completion, it's very stable. You can look at your history, you can upload and download things. It has secure copy. So it's it's if you're a hacker and you're able to ssh onto a machine, this is like the platinum standard if you will.

02:23

So there's different types of logins with ssh. You can use, you know, username and password as you can see here, I'm admin and in this case I'm not using a password,

02:32

I'm using a pass phrase. So when you create a key pair which you saw during the NF NF. S block, um it created a public key and a private key. So here I'm using a private key to log into this admin at local host. Um So the private key, it can also have a pass phrase in it as well for security.

02:54

Um I have ec two instances with a W. S. E. C. Two uses a public private key pair and doesn't use a username password, which you can enable that of course. But I would set up an EC two instance and leave port 22 open on the internet

03:09

And I would see all these bots and and malicious traffic trying to log onto my ec two instance

03:15

and brute force user name and password. When in fact the only way to log on to my Ec two instance was with a private key with the public key being on that A. C. Two instance. So that's how it recognizes it. And you saw that during an NFS lab

03:30

where we created a key pair, we created I. D. R. S. A. Which was the private key. And if you actually cat DRS and look at it,

03:38

it says private on it. And then there is the public key ID RSA pub.

03:44

And what we did was we put the public key into authorized keys. So those are all the keys that are recognized on that machine that are able to authenticate into that machine. And that's why we upended our public key into the authorized keys of that medicine palatable box.

04:03

So if you can use username and password, a great way to do that is to brute force if you don't know what it is. Um And you can see I've used hydra again here and map has a brute force script in it. It takes a very long time. So hydro would be my rule of choice in brute forcing logins now.

04:21

For the most part, you know what I've done Cts and hacked the box, things like that, I've never been

04:27

banned from brute forcing. Ssh So this is a great protocol where you can try brute forcing without being worried about lockouts.

04:40

Also let's say you log onto a machine and whatever user you are has a restricted or our bash shell and you can only execute certain commands a way around that is to do this tack t option where you can specify either shell, S. H. Or the born again shell bash.

04:59

So if you do log in and you seem to not have all that your functionality,

05:03

try specifying um a particular shell either as either shell or bash. Now we have disease shells. E. S. H.

05:13

Um

05:14

You can also do an individual command. So as down here you see Ssh root at 10 to 10 to 10 to 10 cat etc. Password. So if you wanna be stealthy if you just want to use a single command, log on log off

05:26

um you can you can do that with Ssh as well.

05:30

Mm

05:31

So port forwarding. Um Again this is something that took me a long time to figure out it is in the P. W. K. Material.

05:39

Local port forwarding. I want you to focus on local port forwarding and dynamic port forwarding.

05:44

So for local port forwarding I am just using a local port and forwarding it to uh to this I. P. Address in a different sub net and I'm specifying the port so if they have a web server up perhaps that I want to get to. Um I'm just going to do a 1 to 1 connection with port 80.

06:03

Um and I'll show you that in the demo dynamic port forwarding. You need to you need to use socks for proxy. And this is perhaps I would say better than local port forwarding if you want to use a few different tools, but you also have to make sure your socks for proxy is set up correctly and use a tool called proxy chains.

06:21

So I'm going to show you that right now.

06:28

All right. So we've scanned this host. We see that port 22 is open. We see the version open Ssh 7.4. You can of course look for vulnerabilities in open ssh 7.4.

06:39

Um Apparently you can brute force or figure out the different users and open ssh 7.4.

06:46

But I'm going to assume or hope that the root user is on this this machine. So I'm gonna use hydra.

06:55

Mhm.

07:00

L root

07:01

and we're gonna use user

07:04

shared word list.

07:08

Rock. You

07:10

And we're going to specify your host 192168

07:14

149 S. S. H. And give that a go.

07:24

So as you can see here found um the credentials for the user is Quartey

07:29

Mr robot fan. You can appreciate that.

07:31

So we're going to do now is we're going to ssh onto this machine. So I specify ssh root at 192168149

07:46

And I'll go Corti.

07:51

So what I want to do now is of course enumerate. That's the big thing in. Oh SCP. Right let's enumerate. So one thing I might look at is the ARP cache and see what other machines this machine has spoken to

08:03

for lack of a better word

08:05

and you can see here um you know, we're on the subject 1921681 You know 49. Is this one? Our machine is um

08:16

I believe 2 28,

08:20

Yep 2 28.

08:22

But we see here that is speaking to another computer, has it in its ARP cache here. 10 1231232

08:30

So if I actually tried to ping

08:35

ping

08:37

10.123.123.2.

08:43

Of course it helps to spell it correctly.

08:46

That's not gonna work. So how do we, how do we interact with this machine on this different sub net?

08:50

So one thing I'm gonna look at is figure out.

08:56

So this machine zip on that sub net is 10.123.123.5.

09:01

We're going to hope that we can live off the land here. And this machine pivot has end map in it. So end map.

09:09

We're just going to specify this host

09:13

And we see that Port 80 is open.

09:16

So this is where we look at port forwarding.

09:22

So what we're gonna do now is

09:26

is exit out of here,

09:28

clear this

09:30

and we're gonna do this local port forward.

09:37

Yeah.

09:39

So

09:39

yeah,

09:41

what I'm doing here

09:43

is ssh local port forward. We're forwarding to our local port 1234 from this remote host. We saw the web server was open on port 80

09:54

and we're going through this pivot host here

09:58

named pivot.

09:58

Well,

09:58

so we're entering our password. Corti again

10:01

we can see we're on pivot

10:03

And now what we can do is open up a web browser and because we're forwarding it locally to port 1234

10:11

I'm gonna go local host 1234 and you can see now I have access to the employee confidential database. So of course if I

10:22

disable my connection here.

10:24

Yeah.

10:24

Yeah.

10:26

Mhm.

10:28

That breaks the connection here.

10:31

Now dynamic port forwarding so this this took me a little bit to figure out.

10:35

We're gonna look at proxy chains

10:39

and our file

10:39

so a casting etc. Proxy chains for the configuration file and we see socks for proxy is set locally to port 90 50.

10:50

So what I'm going to do now

10:52

is used dynamic port forwarding with this configuration here.

10:58

The big end just makes it quiet so you don't see the login prompt, you can see locally port 9050 which matches our configuration up here for proxy chains.

11:09

I'm going to change this to root

11:13

and her Quartey

11:16

like I said we don't see a command prompt now but in Lennox we hope that silence means success.

11:20

So what I can do now is use different tools using proxy chain so I'm gonna split this vertically.

11:28

I'm going to use the tool proxy chains and because I know it has a web server I'm going to use the curl command

11:35

to see what this web pages

11:39

and you can see here that it does in fact work. We can interact remotely with this machine here on this separate or separate subnets I should say.

11:48

And there's some output here about the chain

11:52

Actually connecting to 101231232 or in Port 80. And we can see yet again

11:58

um that we've interacted with this employee confidential database page.