Saturday, July 6, 2013

REMOTE SHELL - Penetration Testing

Introduction: SSH secure shell is used to establish a remote connection to a Linux box where SSH service is running. SSH runs on port 22 and applications like Open SSH v2.0 provide SSH utilities.  SSH can protect a network from attacks like IP spoofing, IP source routing etc,. However, we will study some vulnerabilities associated with SSH and provide necessary counter measures.

/*install the SSH service on the Linux box
#yum install openssh-server

/*Start the SSH service.
#service sshd start

/*Set the SSH service to start automatically on every system reboot
#chkconfig sshd on

/*Verify if port 22 is open.
# netstat -tulpn | grep :22

/*Configure the firewall settings.
# service iptables stop

//Verify the SSH access from the client box.

From the windows box, open the putty software and access the server box selecting SSH and default port i.e. 22.


Attack using Brute Force  with dictionary attacks
In this attack we will demonstrate to carry out a dictionary attack on the username and password from the  client machine using ncrack in the metaspoilt framework for Backtrack. We first create many users for the server machine. 

   We then run ncrack against the users (/root/users.txt) and password dictionary file    

    /* command to scan the username and find a matching password from the dictionary file
     # ncrack -U /root/users.txt -P /root/passwrd.txt -p 22

Attack using SSH downgrade  attack

1. Scan the Victim box to see if the port for SSH is open.

//Execute the nmap command to see all the open ports:
#nmap –sS –O –P0 –vv

Using the previous brute force attack, gain entry into the server machine and edit its ssh configuration file.

# vi /etc/ssh/sshd_config

Counter measures to defend SSH from attacks

  • Apply public key encryption to access SSH.
  • Generate pair of keys public and private from the server box.

//Generate required keys
#ssh-keygen –t rsa

* “ssh-keygen” command allows generating and managing the authentication keys. These keys are public and private RSA or DSA keys generated on the Linux/Unix box to enhance the security for SSH.

//Verify if keys are generated at “/home/user1/.ssh” . User1 is the user having a login credential
#cd /root/.ssh
# ls

//copy the public key to place it in “/home/user1/.ssh” directory and rename it.
#cp authorized_keys

b. On the Windows box:
//Open the putty and connect to the Linux box and navigate to the location where key files are //present.
#cd /root/.ssh
#cat id_rsa

//Copy the content of the key and save it to a text file on windows box
Quick steps:
-          On windows box, open a notepad file and copy the contents of key.
-          Save the file say “private.txt”.

//Generate the private key on the windows box with the help of PuttyGen.exe
Quick steps:
        i.            On windows box, open “Puttygen.exe” and on the menu option click “Conversations -> Import Key”.
      ii.            Browse the “private_key.txt” file that was saved in earlier steps copied from “id_rsa”.
    iii.            Type the passphrase when prompted which was provided during the key generation process and click “OK” button.
     iv.            A new key is generated on the new window. Click “Save private key” button to save the key on the windows box.  This file is saved with extension .ppk.

//Close the puttygen and putty from the windows box.

c. At the Linux machine
//Edit the sshd_config file
#vi /etc/ssh/sshd_config

* “PubkeyAuthentication=yes” parameter will enable the SSH to prompt for key on every access bu user with SSH. User will be able to login to the server only if private key is used while SSH access that is validated by the server with the corresponding public key placed on server that is configured with “AuthorizedKeysFile” parameter.
* Parameter “PasswordAuthentication=no” will enable the SSH access to never prompt for the password to the user.

     This countermeasure is essential to provide security to the SSH access which means users 
     with only valid key will be able to access the server with SSH otherwise permission will be 
     denied for the login.

     Countermeasure2: Change the default port of SSH from 22 to any say 12345.
     //Change the port of SSH from default 22 to say 12345.
     #vi /etc/ssh/sshd_config
      * add the parameter to the configuration file and save the setting.
     * SSH will now run on port 12345 instead of default 22.
     //restart the service
     #service sshd restart
*   Now from the client box open the putty and access the server with SSH using port 12345   
     instead of 22.

     //Execute the nmap command to see all the open ports:
     #nmap –sS –O –P0 –vv //where is the victim box

     This makes it difficult for the attacker to find the new SSH port.

    Secure shell was configured and then attacked using ncrack(Password brute force attack). And countermeasures were provided by changing the default ssh port number and by implementing public key based authentication.