Date post: | 12-May-2015 |
Category: |
Technology |
Upload: | tiago-henriques |
View: | 3,020 times |
Download: | 4 times |
(mis)Trusting and (ab)Using SSHTips and Tricks for Pentesters and Sysadmins
Herman Duarte <[email protected]>Bruno Morisson <[email protected]>
1Monday, July 2, 12
About usBruno Morisson<[email protected]>http://genhex.org/~mori/
I do security stuff @ INTEGRITY S.A.
@morissonhttp://www.linkedin.com/in/morisson
Herman Duarte<[email protected]>
InfoSEC addict @ INTEGRITY S.A.
@hdontwithttp://www.linkedin.com/in/hcoduarte
2Monday, July 2, 12
In the beginning of times...
Telnet
r* services (rlogin, rsh)
Weak (or no) authentication
Communication in clear
3Monday, July 2, 12
In the beginning of times...
Sniffing
Interception
Hijacking
Man-In-The-Middle
...
4Monday, July 2, 12
Enter the Dragon^WSSH
5Monday, July 2, 12
Key agreement (DH)
Encrypted communications (C&I from CIA)
Multiple authentication options (password, public keys, kerberos, etc...)
Channel Multiplexing
Port Forwarding
VPN
...and so much more!
SSH* features
* for this talk SSH==SSHv26Monday, July 2, 12
7Monday, July 2, 12
SSH 101- The Basics
Key Agreement (DH), Host auth, Integrity, Encryption, Re-Keying
User Authentication (password, Pubkey, etc)
Session Multiplexing, TCP forwarding, socket forwarding, sftp subsystem, etcConnection
User Auth
Transport
TCP
IP
SSH
8Monday, July 2, 12
SSH 101- The Basics
Client Server
Encrypted Channel Setup
User Authentication
Connection
9Monday, July 2, 12
SSH 101- The BasicsUser authentication methods:
GSSAPI
Host-Based
Public Key
Challenge-Response
Password
10Monday, July 2, 12
Password Authentication
Encrypted Channel Setup
username, use password
OK
Password
Auth Ok / NOk
Client
ssh
Server
sshd passwd file
11Monday, July 2, 12
If the server is compromised...
sshd binary is changed with one that logs passwords
keylogger is installed on the server
..the password is compromised!
12Monday, July 2, 12
PublicKey Authentication
Encrypted Channel Setup
username, use publickey
OK
Signature
Auth Ok / NOk
Client
id_dsa ssh
Server
sshd authorized_keys
13Monday, July 2, 12
DEMO
14Monday, July 2, 12
What if I have a lot of keys, or login a lot ??
15Monday, July 2, 12
SSH AgentEncrypted Channel Setup
username, use publickey
OK
Signature
Auth Ok / NOk
Server
sshd
authorized_keys
Client
Agent
id_dsa
ssh
16Monday, July 2, 12
What if I SSH into other servers ??
17Monday, July 2, 12
SSH Agent Forwarding
No need to copy private key to other servers
Key is kept on the original source host
Agent is forwarded, using a tunnel
Passwordless!
18Monday, July 2, 12
Client
Agent
id_dsa
Server #1
sshd
authorized_keys
Server #2
sshd
authorized_keys
SSH Agent ForwardingTransport
Connection
Interactive Shell
Agent Forwarding
Transport
Connection
Interactive Shell
ssh ssh
19Monday, July 2, 12
Control Master
Connection multiplexing allows for multiple sessions on one connection
It’s fast
No need for extra authentication
20Monday, July 2, 12
DEMO
21Monday, July 2, 12
Caveat Emptor(s)
You must trust the server(s)
What if the server was compromised ?
Can SSH Agent be abused ?
Can Control Master be abused ?
22Monday, July 2, 12
DEMO
23Monday, July 2, 12
Help us Obi Wan
You’re our only hope!24Monday, July 2, 12
Freak on a Leash
When adding keys to ssh-agent use ssh-add with:
-t <secs> to set a maximum lifetime on the identities being added to the agent
-c to indicate that identities being added should be subject to confirmation before being used for auth
25Monday, July 2, 12
ssh-agent queries /usr/libexec/ssh-askpass for confirmation
“ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase
Freak on a Leash
26Monday, July 2, 12
DEMO
27Monday, July 2, 12
But we still need passwords!
If you su / sudo, you still type your password...
What if we could use the SSH Agent for sudo ?
Yes we can! :)
28Monday, July 2, 12
DEMO
29Monday, July 2, 12
Paranoia is reality on a finer scale
30Monday, July 2, 12
31Monday, July 2, 12
Using SSH w/o using SSH(but still using SSH)
ssh -W trusted:22 untrusted
Open socket to trusted Server...
...through an untrusted Server
32Monday, July 2, 12
ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted
Open Socket to trusted via untrusted
Disable Agent Forwarding
Connect to the socket created
Just for user and key validation
Using SSH w/o using SSH(but still using SSH)
33Monday, July 2, 12
Untrusted
sshd
authorized_keys
Owned
sshd
authorized_keys
Trusted
sshd
authorized_keys
Client
Agent
id_dsa
Transport
Connection
-W (Open Socket to Server #2)Transport
ssh
Connection
Interactive Shell
Using SSH w/o using SSH(but still using SSH)
34Monday, July 2, 12
DEMO
35Monday, July 2, 12
Control your SSH
.ssh/config
Host trusted1 trusted2 trusted3ForwardAgent yesProxyCommand ssh -a -W %h:22 untrusted.server.com
Host *ControlMaster noForwardAgent noPasswordAuthentication noHashKnownHosts yes
36Monday, July 2, 12
Live long and prosper
37Monday, July 2, 12
ReferencesRTFM :)
RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,5656
http://www.linuxjournal.com/article/9566
http://pamsshagentauth.sourceforge.net/
http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/
38Monday, July 2, 12