Linux Remote Management Protocols

Secure Shell (SSH) permite a dos ordenadores establecer una conexión cifrada y directa dentro de una red posiblemente insegura en el puerto estándar TCP 22. Esto es necesario para evitar que terceros intercepten el flujo de datos y, por tanto, intercepten datos sensibles. El servidor SSH también puede configurarse para que sólo permita conexiones de clientes específicos. Una ventaja de SSH es que el protocolo funciona en todos los sistemas operativos comunes. Dado que originalmente es una aplicación Unix, también está implementado de forma nativa en todas las distribuciones de Linux y MacOS. SSH también puede utilizarse en Windows, siempre que instalemos un programa adecuado. El conocido servidor SSH de OpenBSD (OpenSSH) en distribuciones Linux es una bifurcación de código abierto del servidor SSH original y comercial de SSH Communication Security. En consecuencia, existen dos protocolos que compiten entre sí: SSH-1 y SSH-2.

Default Configuration

cat /etc/ssh/sshd_config  | grep -v "#" | sed -r '/^\s*$/d'

Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

Footprinting the Service

SSH-Audit

git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit

./ssh-audit.py 10.129.14.132

# general
(gen) banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
(gen) software: OpenSSH 8.2p1
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com)                                   

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76                            
(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                    -- [fail] using weak elliptic curves
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                    -- [fail] using weak elliptic curves
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73

# host-key algorithms
(key) rsa-sha2-512 (3072-bit)               -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (3072-bit)               -- [info] available since OpenSSH 7.2
(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                            `- [info] a future deprecation notice has been issued in OpenSSH 8.2: https://www.openssh.com/txt/release-8.2
(key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves
                                            `- [warn] using weak random number generator could reveal the key
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5
...SNIP...

Change Authentication Method

ssh -v cry0l1t3@10.129.14.132

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config 
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

cry0l1t3@10.129.14.132's password:

Scanning for Rsync

sudo nmap -sV -p 873 127.0.0.1

Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 09:31 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0058s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds

Probing for Accessible Shares

 nc -nv 127.0.0.1 873

(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
dev            	Dev Tools
@RSYNCD: EXIT

rsync -av --list-only rsync://127.0.0.1/dev

receiving incremental file list
drwxr-xr-x             48 2022/09/19 09:43:10 .
-rw-r--r--              0 2022/09/19 09:34:50 build.sh
-rw-r--r--              0 2022/09/19 09:36:02 secrets.yaml
drwx------             54 2022/09/19 09:43:10 .ssh

sent 25 bytes  received 221 bytes  492.00 bytes/sec
total size is 0  speedup is 0.00

R-Services

/etc/hosts.equiv

cat /etc/hosts.equiv

# <hostname> <local username>
pwnbox cry0l1t3

Scanning for R-Services

sudo nmap -sV -p 512,513,514 10.0.17.2

Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-02 15:02 EST
Nmap scan report for 10.0.17.2
Host is up (0.11s latency).

PORT    STATE SERVICE    VERSION
512/tcp open  exec?
513/tcp open  login?
514/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.54 seconds

Access Control & Trusted Relationships

La principal preocupación de los r-services, y una de las principales razones por las que se introdujo SSH para sustituirlo, son los problemas inherentes al control de acceso de estos protocolos. Los r-servicios se basan en información de confianza enviada desde el cliente remoto a la máquina anfitriona en la que intentan autenticarse. Por defecto, estos servicios utilizan Pluggable Authentication Modules (PAM) para la autenticación de usuarios en un sistema remoto; sin embargo, también evitan esta autenticación mediante el uso de los archivos /etc/hosts.equiv y .rhosts en el sistema. Los archivos hosts.equiv y .rhosts contienen una lista de hosts (IPs o nombres de host) y usuarios en los que confía el host local cuando se realiza un intento de conexión utilizando r-commands. Las entradas en cualquiera de los dos archivos pueden tener el siguiente aspecto:

Sample .rhosts File

cat .rhosts

htb-student     10.0.17.5
+               10.0.17.10
+               +

Logging in Using Rlogin

rlogin 10.0.17.2 -l htb-student

Last login: Fri Dec  2 16:11:21 from localhost

[htb-student@localhost ~]$

Listing Authenticated Users Using Rwho

rwho

root     web01:pts/0 Dec  2 21:34
htb-student     workstn01:tty1  Dec  2 19:57  2:25

Listing Authenticated Users Using Rusers

rusers -al 10.0.17.5

htb-student     10.0.17.5:console          Dec 2 19:57     2:25

PreviousIPMI NextWindows Remote Management Protocols

Last updated 9 months ago

hashtagDefault Configuration

hashtagFootprinting the Service

hashtagSSH-Audit

hashtagChange Authentication Method

hashtagScanning for Rsync

hashtagProbing for Accessible Shares

hashtagEnumerating an Open Share

hashtagR-Services

hashtag/etc/hosts.equiv

hashtagScanning for R-Services

hashtagAccess Control & Trusted Relationships

hashtagSample .rhosts File

hashtagLogging in Using Rlogin

hashtagListing Authenticated Users Using Rwho

hashtagListing Authenticated Users Using Rusers