3

I'm currently analysing a compromised network(root access has been gained to a workstation and logs show that it has been used for port scanning and service brute forcing attacks on the remaining stations within the subnet) and am wondering what is the most effective attack that can be launched at this point?

Packet sniffing allows for easy credential retrieval in the case of plain text protocols but is otherwise less effective against their encrypted counterparts.

Brute forcing is ineffective given that a secure credential policy is employed.

At this point I'm thinking that the attack with the highest impact would consist in credential retrieval through the use of arp poisoning on services such as SSH. I've found a suite of tools that would allow for an attacker to retrieve the user name and password values for SSH v1

here

The tools presented there are, however, archaic and require numerous tweaks in order to compile on most modern distros.

Is there an equivalent for SSH v2? What are the most suitable means of prevention/detection?

Sebi
  • 1,391
  • 9
  • 16
  • You would have to break the protocol (of which I don't know of any such vulnerability) in order to retrieve SSH-2 credentials. It'd be easier to just drop a key logger in all honesty. – RoraΖ Oct 13 '14 at 12:01
  • Actually you don't. When using a username/password authentication scheme the client does not know the server's public key. The attacker can advertise his key as being the server's key and use it for the key exchange. The attacker can then simply log all traffic and decrypt it afterwards. – Sebi Oct 13 '14 at 12:14
  • SSH-2 uses ephemeral Diffie-Hellman for its key exchange. The public key is only advertised for authentication of the server. Any half-decent client will warn you if the cached public key changes. But now I'm confused, are you looking for an attack on the server-side or client-side? – RoraΖ Oct 13 '14 at 12:18
  • On the server side. I want to know what are the risks of the remaining boxes running SSH v2 in that subnet, of being compromised. Yes the client will warn you. However, most users tend to ignore the message and log on regardless. – Sebi Oct 13 '14 at 12:22
  • If your server is compromised I would assume the worst. You should be able to view outgoing connections from the server, and see which clients were touched. – RoraΖ Oct 13 '14 at 13:41
  • Unfortunately, it is unclear when the compromise took place. Consequently, I can only estimate the damage(I have access only to four machines in the given subnet, out of roughly seventy running an SSH service). I am currently monitoring all outbound connections. – Sebi Oct 13 '14 at 22:00
  • I would scrub the system to ensure the malware is removed. Then regenerate your SSH keys. – RoraΖ Oct 13 '14 at 22:13

1 Answers1

2

Yes, password credentials can still be stolen through a man-in-the-middle method with SSHv2.

The victim profile will depend on the type of man-in-the-middle method used. For your example of arp poisoning from a client workstation, arp poisoning would maximally really grant middling between clients on the nearby local network, or all clients if the server is on a nearby local network.

Other middling methods, such as DNS poisoning could increase the victim scope.

Most SSH clients will remember the public key of an SSH server they have previously connected to. So regular users would likely get a scary error or warning when attempting to connect through a mitm.

Using private key authentication is one way to avoid disclosing the secret credential, even if the connection is middled.

Here is an example story tool description. http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/

Gabe
  • 404
  • 2
  • 5