Linux Remote Mgmt

# SSH (22) Introduction - secure shell enables two computers to establish an encrypted, direct connection over an insecure network via TCP 22 - SSH-1 is vulnerable to MITM attcaks - SSH-2 is not - Six authentication methods: - password auth - public-key auth - rsa or ecc key pair - host-based auth - keyboard auth - challenge-response auth - GSSAPI auth ## Footprinting SSH ```bash git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit ./ssh-audit.py <ip_addr> #look for version info for potential vulns such as CVE-2020-14145 #SSH-1.99-OpenSSH_3.9p1 enables usage both protocol versions SSH-1 and SSH-2 #SSH-2.0-OpenSSH_8.2p1 only accepts the SSH-2 protocol version ssh -v <user_name>@<ip_addr> ssh -v <user_name>@<ip_addr> -o PreferredAuthentications=password #specify login method for potential brute force attacks ``` ## Default Config ```bash cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d' #NOTE: X11 forwarding contained a command injection vulnerability in version 7.2p1 of OpenSSH in 2016 ``` ## Dangerous Settings | Setting | Description | | -------------------------- | ----------------------------------------------- | | PasswordAuthentication yes | allow password-based auth (may be brute forced) | | PermitEmptyPasswords yes | allows use of empty passwords | | PermitRootLogin yes | allows login at root user | | Protocol 1 | uses outdated version of encryption | | X11Forwarding yes | allows X11 forwarding for GUI apps | | PermitTunnel | allows tunneling | | DebianBanner yes | displays specific banner when logging in | # Rsync (873) - fast and efficient tool for locally and remotely copying files - uses port 873 by default can can be configured to piggyback on top of an ssh session ## Footprinting Rsync ```bash sudo nmap -sV -p873 <ip_addr> #interact with rsync host nc -nv <ip_addr> 873 #list accessible shares rsync -av --list-only rsync://<ip_addr>/ #modify above with -e for ssh and -p <port_no> for non-standard port ``` # R-Services (512,513,514) - suite of services hosted to enable remote access or usse commands between unix hosts over TCP/IP - no replaced by SSH - like `telnet` r-services transmit info in unencrypted format - Suite of Programs in R-Services: - rcp (remote copy) - rexec (remote execution) - rlogin (remote login) - rsh (remote shell) - rstat - ruptime - rwho (remote who) | Command | Service Daemon | Port | Transport Protocol | Description | | ------- | -------------- | ---- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | rcp | rshd | 514 | TCP | Copy a file or directory bidirectionally from the local system to the remote system (or vice versa) or from one remote system to another | | rsh | rshd | 514 | TCP | Opens a shell on a remote machine without a login procedure. Relies upon the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files for validation | | rexec | rexecd | 512 | TCP | Enables a user to run shell commands on a remote machine. Requires authentication through the use of a `username` and `password` through an unencrypted network socket. Authentication is overridden by the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files | | rlogin | rlogind | 513 | TCP | Enables a user to log in to a remote host over the network. It works similarly to `telnet` but can only connect to Unix-like hosts. Authentication is overridden by the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files | - `/etc/hosts.equiv` is a global config file that contains list of hosts and users that are trusted - `.rhosts` is a user-specific config file that contains list of hosts and users that are trusted ## Footprinting R-Services ```bash sudo nmap -p512-514 -sV -sC <ip_addr> ``` ## Interacting with R-Services ```bash rlogin <ip_addr> -l <user_name> #login to remote host as specified user rwho #show remote sessions fopr local users rusers -al <ip_addr> #show users logged into target IP ```