SlideShare a Scribd company logo

(Mis)trusting and (ab)using ssh

M
morisson

The document discusses tips and tricks for using SSH more securely, including using SSH agent forwarding to avoid copying private keys, setting lifetime limits for identities added to the agent, and using SSH without direct connection by opening a socket through an untrusted server to a trusted one for authentication purposes only. It also covers potential abuses of SSH agent forwarding and connection multiplexing if the server is compromised.

Technology
1 of 38
1
2
3
4
5
6
7
Most read
8
9
10
11
12
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Most read
34
35
36
37
38
(mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org> Monday, July 2, 12 1
About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte Monday, July 2, 12 2
In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clear Monday, July 2, 12 3
In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4
Enter the Dragon^WSSH Monday, July 2, 12 5
SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2 Monday, July 2, 12 6
Monday, July 2, 12 7
SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8
SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection Server Monday, July 2, 12 9
SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response Password Monday, July 2, 12 10
Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11
If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised! Monday, July 2, 12 12
PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13
DEMO Monday, July 2, 12 14
What if I have a lot of keys, or login a lot ?? Monday, July 2, 12 15
SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16
What if I SSH into other servers ?? Monday, July 2, 12 17
SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18
SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 19
Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authentication Monday, July 2, 12 20
DEMO Monday, July 2, 12 21
Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ? Monday, July 2, 12 22
DEMO Monday, July 2, 12 23
Help us Obi Wan You’re our only hope! Monday, July 2, 12 24
Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for auth Monday, July 2, 12 25
Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26
DEMO Monday, July 2, 12 27
But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :) Monday, July 2, 12 28
DEMO Monday, July 2, 12 29
Paranoia is reality on a finer scale Monday, July 2, 12 30
Monday, July 2, 12 31
Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted Server Monday, July 2, 12 32
Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validation Monday, July 2, 12 33
Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 34
DEMO Monday, July 2, 12 35
Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yes Monday, July 2, 12 36
Live long and prosper Monday, July 2, 12 37
References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38

More Related Content

PPTX
Unsecuring SSH
Jeremy Brown
 
PPTX
Pwning the Enterprise With PowerShell
Beau Bullock
 
PDF
Les attaques MITM
Ahmed Contre Ennahdha
 
ODP
Expanding Asterisk with Kamailio
Fred Posner
 
PDF
Web Application Firewall Tercih Rehberi
BGA Cyber Security
 
PPTX
Reverse shell
Ilan Mindel
 
PDF
Nessus Software
Megha Sahu
 
PPTX
Metasploit For Beginners
Ramnath Shenoy
 
Unsecuring SSH
Jeremy Brown
 
Pwning the Enterprise With PowerShell
Beau Bullock
 
Les attaques MITM
Ahmed Contre Ennahdha
 
Expanding Asterisk with Kamailio
Fred Posner
 
Web Application Firewall Tercih Rehberi
BGA Cyber Security
 
Reverse shell
Ilan Mindel
 
Nessus Software
Megha Sahu
 
Metasploit For Beginners
Ramnath Shenoy
 

What's hot (20)

PPTX
Server hardening
Teja Babu
 
PPTX
Nmap basics
n|u - The Open Security Community
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PPTX
Introduction to Public Key Infrastructure
Theo Gravity
 
PDF
CNIT 126: Ch 2 & 3
Sam Bowne
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
PDF
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
 
PDF
Using Kamailio for Scalability and Security
Fred Posner
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PDF
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PDF
Kamailio - SIP Routing in Lua
Daniel-Constantin Mierla
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
Docker swarm
Alberto Guimarães Viana
 
PDF
F5 TLS & SSL Practices
Brian A. McHenry
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
PDF
Linux Networking Explained
Thomas Graf
 
PDF
오픈 소스를 활용한 캐쥬얼 게임 서버 프레임워크 개발
주항 박
 
Server hardening
Teja Babu
 
Nmap basics
n|u - The Open Security Community
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Introduction to Public Key Infrastructure
Theo Gravity
 
CNIT 126: Ch 2 & 3
Sam Bowne
 
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
 
Using Kamailio for Scalability and Security
Fred Posner
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Kamailio - SIP Routing in Lua
Daniel-Constantin Mierla
 
Threat Hunting with Splunk
Splunk
 
Docker swarm
Alberto Guimarães Viana
 
F5 TLS & SSL Practices
Brian A. McHenry
 
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Linux Networking Explained
Thomas Graf
 
오픈 소스를 활용한 캐쥬얼 게임 서버 프레임워크 개발
주항 박
 
Ad

Similar to (Mis)trusting and (ab)using ssh (20)

PDF
Open ssh cheet sheat
Piyush Mittal
 
PDF
SSH how to 2011
Chris Hales
 
PPTX
Secure SHell
Çağrı Çakır
 
PPT
Presentation nix
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PPT
Secure shell ppt
sravya raju
 
PDF
tutorial-ssh.pdf
NigussMehari4
 
PDF
An introduction to SSH
nussbauml
 
PPT
Ssh
gh02
 
PPT
Introduction to SSH
Hemant Shah
 
PDF
SSH.pdf
AnisSalhi3
 
PDF
SSH
Zach Dennis
 
PPTX
Ssh
Raghu nath
 
PPTX
Ssh (The Secure Shell)
Mehedi Farazi
 
PDF
OpenSSH: keep your secrets safe
Giovanni Bechis
 
PDF
Windowshadoop
arunkumar sadhasivam
 
KEY
Intro to SSH
JP Bourget
 
PDF
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
PDF
Understanding ssh
Momita Chowdhury
 
PDF
sshGate - OSCON 2011
Tauop
 
Open ssh cheet sheat
Piyush Mittal
 
SSH how to 2011
Chris Hales
 
Secure SHell
Çağrı Çakır
 
Presentation nix
fangjiafu
 
Presentation nix
fangjiafu
 
Secure shell ppt
sravya raju
 
tutorial-ssh.pdf
NigussMehari4
 
An introduction to SSH
nussbauml
 
Ssh
gh02
 
Introduction to SSH
Hemant Shah
 
SSH.pdf
AnisSalhi3
 
SSH
Zach Dennis
 
Ssh
Raghu nath
 
Ssh (The Secure Shell)
Mehedi Farazi
 
OpenSSH: keep your secrets safe
Giovanni Bechis
 
Windowshadoop
arunkumar sadhasivam
 
Intro to SSH
JP Bourget
 
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
Understanding ssh
Momita Chowdhury
 
sshGate - OSCON 2011
Tauop
 
Ad

More from morisson (7)

PDF
Security asap
morisson
 
PDF
Mobile Securty - An Oxymoron?
morisson
 
PDF
APT
morisson
 
PDF
The Thing That Should Not Be
morisson
 
PDF
Honeypot Farms using Ethernet Bridging over a TCP Connection
morisson
 
PPTX
Virtualization & Security
morisson
 
PDF
Crash Course In Brain Surgery
morisson
 
Security asap
morisson
 
Mobile Securty - An Oxymoron?
morisson
 
APT
morisson
 
The Thing That Should Not Be
morisson
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
morisson
 
Virtualization & Security
morisson
 
Crash Course In Brain Surgery
morisson
 

Recently uploaded (20)

PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KodekX | Application Modernization Development
KodekX
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

(Mis)trusting and (ab)using ssh

  • 1. (mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org> Monday, July 2, 12 1
  • 2. About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte Monday, July 2, 12 2
  • 3. In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clear Monday, July 2, 12 3
  • 4. In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4
  • 6. SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2 Monday, July 2, 12 6
  • 8. SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8
  • 9. SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection Server Monday, July 2, 12 9
  • 10. SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response Password Monday, July 2, 12 10
  • 11. Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11
  • 12. If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised! Monday, July 2, 12 12
  • 13. PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13
  • 15. What if I have a lot of keys, or login a lot ?? Monday, July 2, 12 15
  • 16. SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16
  • 17. What if I SSH into other servers ?? Monday, July 2, 12 17
  • 18. SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18
  • 19. SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 19
  • 20. Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authentication Monday, July 2, 12 20
  • 22. Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ? Monday, July 2, 12 22
  • 24. Help us Obi Wan You’re our only hope! Monday, July 2, 12 24
  • 25. Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for auth Monday, July 2, 12 25
  • 26. Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26
  • 28. But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :) Monday, July 2, 12 28
  • 30. Paranoia is reality on a finer scale Monday, July 2, 12 30
  • 32. Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted Server Monday, July 2, 12 32
  • 33. Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validation Monday, July 2, 12 33
  • 34. Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 34
  • 36. Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yes Monday, July 2, 12 36
  • 37. Live long and prosper Monday, July 2, 12 37
  • 38. References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38