Skip to content

Posts tagged ‘ssh’

8
Sep

Reverse SSH over Tor on the Pwnie Express

The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.

While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.

Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.

These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.

Read moreRead more

15
May

Mitigating SSH Vulnerabilities Using Single Packet Authorization

Note: This is a 2008 post I managed to recover from my archive of Securethoughts.net

This past week has seen a bit of activity on the SSH security front. To begin with, on Tuesday (13/05/08) Linux distributions Debian and Ubuntu announced that due to a flaw in the random number generator used to generate cryptographic keys used by OpenSSL, OpenSSH and OpenVPN, making these keys far more predictable than they should be, and can be discovered by performing a brute force attack. This is particularly true of the encryption keys used by OpenSSH. HD Moore of the Metasploit project has created a page cover these vulnerabilities, with links to tools that can be used to check for weak keys, as well as key blacklists.

Coincidentally, on Wednesday (14/05/08) a number of network administrators issued warnings of increased brute force and dictionary attacks on systems running SSH. It is believed, however, that these increased attacks are most likely unrelated to the vulnerabilities disclosed in SSH the day before.
As a result of the vulnerability disclosures, users of Ubuntu and Debian systems are not only strongly encouraged to update their software, but also delete all cryptographic keys generated between September 2006 and the 13th of May 2008, and re-generate new keys. Some Debian system administrators, whose systems make significant OpenSSH and OpenVPN, frantically trying to determine which systems are vulnerable and where new keys need to be generated.
As you can expect, due to the nature of services like SSH, it is quite a crucial service to keep secure. Doing so is potentially a complex task due to brute force/dictionary attacks, weak key attacks, and 0day exploits. This is one area in particular where Single Packet Authorization (SPA) excels.
SPA is a method for keeping a host’s firewall completely closed down until a valid authorization packet is received, which will then allow the authorized client to connect during a very short timeframe. As such, an attacker cannot even reach the SSH daemon in order to carry out the attacks mentioned above. This would give system administrators a lot more breathing room for carrying out updates, re-generating keys, etc. It essentially adds an extra layer of security, and adds to the concept of defense-in-depth which is an important part good all-round security.

A very robust implementation of SPA is the Firewall Knock Operator (fwknop), developed in Perl by Michael Rash, which includes features such as replay-protection. I’ll be posting a tutorial on setting up fwknop on OS X very soon. Aldaba, another implementation by Luis Martin Garcia, is written entirely in C, and offers similar functionality to fwknop. Finally the latest implementation that has come to my attention in the past few days is “Ramius“, written entirely in Bash by John Brendler. Although I have not tested it yet, it’s good to see new implementations using readily-available tools.

css.php