SlideShare une entreprise Scribd logo

(Mis)trusting and (ab)using ssh

M
morisson

Presentation on Confraria de Segurança da Informação, about SSH. 2Jul2012

Technologie
1  sur  38
(mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org> Monday, July 2, 12 1
About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte Monday, July 2, 12 2
In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clear Monday, July 2, 12 3
In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4
Enter the Dragon^WSSH Monday, July 2, 12 5
SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2 Monday, July 2, 12 6
Monday, July 2, 12 7
SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8
SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection Server Monday, July 2, 12 9
SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response Password Monday, July 2, 12 10
Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11
If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised! Monday, July 2, 12 12
PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13
DEMO Monday, July 2, 12 14
What if I have a lot of keys, or login a lot ?? Monday, July 2, 12 15
SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16
What if I SSH into other servers ?? Monday, July 2, 12 17
SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18
SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 19
Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authentication Monday, July 2, 12 20
DEMO Monday, July 2, 12 21
Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ? Monday, July 2, 12 22
DEMO Monday, July 2, 12 23
Help us Obi Wan You’re our only hope! Monday, July 2, 12 24
Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for auth Monday, July 2, 12 25
Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26
DEMO Monday, July 2, 12 27
But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :) Monday, July 2, 12 28
DEMO Monday, July 2, 12 29
Paranoia is reality on a finer scale Monday, July 2, 12 30
Monday, July 2, 12 31
Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted Server Monday, July 2, 12 32
Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validation Monday, July 2, 12 33
Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 34
DEMO Monday, July 2, 12 35
Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yes Monday, July 2, 12 36
Live long and prosper Monday, July 2, 12 37
References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38

Recommandé

Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 

Recommandé

Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Neuvector Rodeo 17 mars 20234
Neuvector Rodeo 17 mars 20234Neuvector Rodeo 17 mars 20234
Neuvector Rodeo 17 mars 20234SUSE
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Tom Cappetta
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Docker containers : introduction
Docker containers : introductionDocker containers : introduction
Docker containers : introductionrinnocente
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdBuoyant
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
 
Security asap
Security asapSecurity asap
Security asapmorisson
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 

Contenu connexe

Tendances

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Neuvector Rodeo 17 mars 20234
Neuvector Rodeo 17 mars 20234Neuvector Rodeo 17 mars 20234
Neuvector Rodeo 17 mars 20234SUSE
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Tom Cappetta
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Docker containers : introduction
Docker containers : introductionDocker containers : introduction
Docker containers : introductionrinnocente
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdBuoyant
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
 

Tendances (20)

Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Neuvector Rodeo 17 mars 20234
Neuvector Rodeo 17 mars 20234Neuvector Rodeo 17 mars 20234
Neuvector Rodeo 17 mars 20234
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Docker containers : introduction
Docker containers : introductionDocker containers : introduction
Docker containers : introduction
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with Linkerd
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 

Plus de morisson

Security asap
Security asapSecurity asap
Security asapmorisson
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection morisson
 
Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Securitymorisson
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 

Plus de morisson (7)

Security asap
Security asapSecurity asap
Security asap
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
APT
APTAPT
APT
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection
 
Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Security
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 

Dernier

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Dernier (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

(Mis)trusting and (ab)using ssh

  • 1. (mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org> Monday, July 2, 12 1
  • 2. About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte Monday, July 2, 12 2
  • 3. In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clear Monday, July 2, 12 3
  • 4. In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4
  • 6. SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2 Monday, July 2, 12 6
  • 8. SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8
  • 9. SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection Server Monday, July 2, 12 9
  • 10. SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response Password Monday, July 2, 12 10
  • 11. Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11
  • 12. If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised! Monday, July 2, 12 12
  • 13. PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13
  • 15. What if I have a lot of keys, or login a lot ?? Monday, July 2, 12 15
  • 16. SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16
  • 17. What if I SSH into other servers ?? Monday, July 2, 12 17
  • 18. SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18
  • 19. SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 19
  • 20. Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authentication Monday, July 2, 12 20
  • 22. Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ? Monday, July 2, 12 22
  • 24. Help us Obi Wan You’re our only hope! Monday, July 2, 12 24
  • 25. Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for auth Monday, July 2, 12 25
  • 26. Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26
  • 28. But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :) Monday, July 2, 12 28
  • 30. Paranoia is reality on a finer scale Monday, July 2, 12 30
  • 32. Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted Server Monday, July 2, 12 32
  • 33. Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validation Monday, July 2, 12 33
  • 34. Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keys Monday, July 2, 12 34
  • 36. Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yes Monday, July 2, 12 36
  • 37. Live long and prosper Monday, July 2, 12 37
  • 38. References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38