OpenSSH tricks

. . . . . .

.

......OpenSSH tricks

Assem Chelli

[email protected] (@assem_ch)

Hacknowledge Contest Algeria 2013

Assem Chelli OpenSSH tricks

. . . . . .

.. What is SSH?

SSH: Secure SHell, a Network protocol Created by TatuYlonen (1995)Secure logging into remote computer

Public key authentication (!Password),Authentication of the server (!MAN-IN-THE-MIDDLE )Encryption,Integrity

more features:

Stream CompressionPort forwardingX11 sessions forwardingFile transfer


. . . . . .

.. WHY SSH IS SO IMPORTANT?

IP spoofingIP source routingDNS spoofingPassword sniffingManipulation of transfer data Atack on X11 (sniffing onauthorization)


. . . . . .

.. Install Open SSH

SSH is so resricted , OPEN SSH is free!openssh-client , openssh-server

sudo apt-get install openssh-client openssh-serversudo yum install openssh-client openssh-server

WINDOWS: download & install PuTTY

http://www.chiark.greenend.org.uk/ sgtatham/putty/


. . . . . .

.. Basic SSH usage

Remote login

ssh hostnamessh -l user hostnamessh user@hostname

cd:41:70:30:48:07:16:81:e5:30:34:66:f1:56:ef:dbRSA key fingerprint —> yes / no (Public Keyauthentification)host’s password: _______ (Password authentification)

known hosts

~/.ssh/known_hosts


. . . . . .

.. Basic SSH usage

Remote login

ssh hostnamessh -l user hostnamessh user@hostname

cd:41:70:30:48:07:16:81:e5:30:34:66:f1:56:ef:dbRSA key fingerprint —> yes / no (Public Keyauthentification)host’s password: _______ (Password authentification)

known hosts

~/.ssh/known_hosts


. . . . . .

.. Omar in the middle!

let’s play SERVER role!

We put Server offlineSomeone fix his IP as the same IP of server

Now try login again

ssh host@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middleattack)!It is also possible that the RSA host key has just been changed.


. . . . . .

.. Omar in the middle!

let’s play SERVER role!

We put Server offlineSomeone fix his IP as the same IP of server

Now try login again

ssh host@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middleattack)!It is also possible that the RSA host key has just been changed.


. . . . . .

.. SSH replaces telnet.

ssh host.domena.plssh [email protected] -l user host.domena.pl


. . . . . .

.. SSH replaces FTP.

sftp host.domena.pl

sftp> dir


. . . . . .

.. SSH replaces r-command .

rexec

ssh host "cat /etc/passwd"

rlogin

ssh user@host

rcp

scp file host.domena.pl


. . . . . .

.. Executing commands remotely

ssh host netstatssh host "ls -C /bin"ssh host “cat /etc/passwd”ssh host “vi /tmp/foo ”

ssh -t host vi /tmp/foo


. . . . . .

.. Executing commands remotely

ssh host netstatssh host "ls -C /bin"ssh host “cat /etc/passwd”ssh host “vi /tmp/foo ”

ssh -t host vi /tmp/foo


. . . . . .

.. Redirecting commands input and output

ssh host "ls /bin | grep -i rm"ssh host "ls /bin" | grep -i rmssh host "cat /etc/passwd" > remote_passwdssh host "psql billing" < billing.sql | grep -v ^INFO


. . . . . .

.. Redirecting commands input and output

ssh host "ls /bin | grep -i rm"ssh host "ls /bin" | grep -i rmssh host "cat /etc/passwd" > remote_passwdssh host "psql billing" < billing.sql | grep -v ^INFO


. . . . . .

.. File transfer

scpscp [user1@]host1:/path/to/source/file[user2@]host2:/path/to/destination/filescp -r

sftpsftp host

sftp> cd /usr/share/gamessftp> lssftp> lcd /tmpget c*quit

tar-over-sshssh host "cd /usr/share/games ; tar cf - ./a*" | \> (cd /tmp ; tar xpvf -)

rsyncrsync -ve ssh host:/bin/c* /tmp


. . . . . .

.. Public Keys

Generate a public key

ssh-keygen -t rsacat ~/.ssh/id_rsa.pub

Authentification

ssh-add -l

Restrictions

cat ~/.ssh/authorized_keys


. . . . . .

.. Default Config Files and SSH Port

/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??


. . . . . .




. . . . . .




. . . . . .




. . . . . .




. . . . . .




. . . . . .




. . . . . .

.. BEST SSH Tricks 1

...1 Copy ssh keys to user@host to enable password-less ssh loginsssh-copy-id user@host

...2 Start a tunnel from some machines port 80 to your local post2001

ssh -N -L2001:localhost:80 somemachine

...3 Output your microphone to a remote computers speakerdd if=/dev/dsp | ssh -c arcfour -C username@host ddof=/dev/dsp

...4 Compare a remote file with a local filessh user@host cat /path/to/remotefile | diff /path/to/localfile-

...5 Mount folder/filesystem through SSHss hfs name@server:/path/to/folder /path/to/mount/point


. . . . . .









. . . . . .









. . . . . .









. . . . . .









. . . . . .


...1 SSH connection through host in the middle

ssh -t reachable_host ssh unreachable_host

...2 Copy from host1 to host2, through your host

ssh root@host1 cd /somedir/tocopy/ && tar -cf . | sshroot@host2 cd /samedir/tocopyto/ && tar -xf -

...3 Run any GUI program remotely

ssh -fX @

...4 Create a persistent connection to a machine

ssh -MNf @

...5 Attach screen over ssh

ssh -t remote_host screen -r


. . . . . .







ssh -fX @


ssh -MNf @




. . . . . .







ssh -fX @


ssh -MNf @




. . . . . .







ssh -fX @


ssh -MNf @




. . . . . .







ssh -fX @


ssh -MNf @




. . . . . .


...1 Run complex remote shell cmds over sshssh host -l user $(ssh host -l user cat cmd.txt

...2 Resume scp of a big filersync partial progress rsh=ssh $file_source$user@$host:$destination_file

...3 Analyze traffic remotely over ssh w/ wiresharkssh [email protected] tshark -f port !22 -w - | wireshark -k -i -

...4 Have an ssh session open foreverautossh -M50000 -t server.example.com screen -raAdmysession

...5 Harder, Faster, Stronger SSH clientsssh -4 -C -c blowfish-cbc


. . . . . .








. . . . . .








. . . . . .








. . . . . .








. . . . . .

.. Best SSH tricks 4

...1 Disable OpenSSH Serverapt-get remove openssh-server (ubuntu )chkconfig sshd off && yum erase openssh-server (fedora)

...2 Force to use SSH protocole 2 because SSH-1 is vulnerable(Man-in-the-middle attacks)

in /etc/ssh/sshd_config add the line: Protocol 2...3 Limit root or Users’ SSH Access

in /etc/ssh/sshd_configfind&modify the line: AllowUsers root assemor find&modify the line: DenyUsers omar zaki ali-babaor find&modify the line: PermitRootLogin no

or create /etc/nologin...4 Enable a Warning Banner

in /etc/ssh/sshd_config add the line: Banner /etc/issue


. . . . . .









. . . . . .









. . . . . .









. . . . . .


...1 Change SSH port

in /etc/ssh/sshd_config find&modify the line: Port 300

...2 Deny empty passwords

in /etc/ssh/sshd_config find&modify the line:PermitEmptyPasswords no

...3 Use SSH as an Internet Proxy

Google it !


. . . . . .







Google it !


. . . . . .







Google it !


. . . . . .







Google it !


. . . . . .

.. Thwart SSH Crackers

DenyHostsFail2bansecurity/sshguardsecurity/sshblock


. . . . . .

.. SSH via Proxy!

Proxy Problem!/etc/ssh/ssh_config

host *proxyCommand connect -H 10.0.0.1:80 %h %p


. . . . . .

.. SSH via Proxy!

Proxy Problem!/etc/ssh/ssh_config

host *proxyCommand connect -H 10.0.0.1:80 %h %p


. . . . . .

.. forwarding over SSH

Agent forwarding

ssh -A trustedhost (your privatekeys can be stolen)

X11 forwarding

ssh -X user@host firefoxssh -Y user@host

Port forwarding

ssh -L8000:anotherhost:80 somehost


. . . . . .

.. Tunneling types

LocalForwardRemoteForwardDynamicForwardProxyCommandForwardX11/ForwardX11Trusted TunnelControlMaster


. . . . . .

.. Security

ssh-agentX11GatewayPortsMITMSSH-1.99SSH timing attack


. . . . . .

Appendix

.. Questions

Questions?


. . . . . .

Appendix For Further Reading

.. For Further Reading I

SSH tips, tricks & protocol tutorial.Damien Miller , AUUG Winter 2002 .

25 Best SSH Commands / Tricks.http://www.newitperson.com/2012/01/25-ssh-commands-tricks/

SSH manpage


Date post:	29-Nov-2014
Category:	Technology
Upload:	assem-chelli
View:	1,445 times
Download:	2 times

OpenSSH tricks

Technology