subtitlecat.com

All language subtitles for 1. SSH

Afrikaans

Akan

Albanian

Amharic

Arabic Download

Armenian

Azerbaijani

Basque

Belarusian

Bemba

Bengali

Bihari

Bosnian

Breton

Bulgarian

Cambodian

Catalan

Cebuano

Cherokee

Chichewa

Chinese (Simplified)

Chinese (Traditional)

Corsican

Croatian

Czech

Danish

Dutch

English

Esperanto

Estonian

Ewe

Faroese

Filipino

Finnish

French

Frisian

Galician

Georgian

German

Greek

Guarani

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hmong

Hungarian

Icelandic

Igbo

Indonesian

Interlingua

Irish

Italian

Japanese

Javanese

Kannada

Kazakh

Kinyarwanda

Kirundi

Kongo

Korean

Krio (Sierra Leone)

Kurdish

Kurdish (Soranî)

Kyrgyz

Laothian

Latin

Latvian

Lingala

Lithuanian

Lozi

Luganda

Luo

Luxembourgish

Macedonian

Malagasy

Malay

Malayalam

Maltese

Maori

Marathi

Mauritian Creole

Moldavian

Mongolian

Myanmar (Burmese)

Montenegrin

Nepali

Nigerian Pidgin

Northern Sotho

Norwegian

Norwegian (Nynorsk)

Occitan

Oriya

Oromo

Pashto

Persian

Polish

Portuguese (Brazil)

Portuguese (Portugal)

Punjabi

Quechua

Romanian

Romansh

Runyakitara

Russian

Samoan

Scots Gaelic

Serbian

Serbo-Croatian

Sesotho

Setswana

Seychellois Creole

Shona

Sindhi

Sinhalese

Slovak

Slovenian

Somali

Spanish

Spanish (Latin American)

Sundanese

Swahili

Swedish

Tajik

Tamil

Tatar

Telugu

Thai

Tigrinya

Tonga

Tshiluba

Tumbuka

Turkish

Turkmen

Twi

Uighur

Ukrainian

Urdu

Uzbek

Vietnamese

Welsh

Wolof

Xhosa

Yiddish

Yoruba

Zulu

Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,360 2 00:00:03,360 --> 00:00:06,720 [MUSIC LOGO] 3 00:00:06,720 --> 00:00:10,580 4 00:00:10,580 --> 00:00:13,100 The next protocol we'll be looking at is SSH. 5 00:00:13,100 --> 00:00:15,150 It is very common. 6 00:00:15,150 --> 00:00:16,910 It's used for remote administration. 7 00:00:16,910 --> 00:00:19,760 It gives you a secure shell, which 8 00:00:19,760 --> 00:00:24,380 is what SSH stands for, and allows you to then interact 9 00:00:24,380 --> 00:00:28,295 with a remote machine over an encrypted channel. 10 00:00:28,295 --> 00:00:30,170 So let's take a look at what that looks like. 11 00:00:30,170 --> 00:00:34,880 12 00:00:34,880 --> 00:00:37,640 We have our IP address. 13 00:00:37,640 --> 00:00:42,110 We are 192.244.143.2. 14 00:00:42,110 --> 00:00:47,420 So our victim is going to be the .3 version event. 15 00:00:47,420 --> 00:00:51,120 16 00:00:51,120 --> 00:00:54,310 And it is up and running. 17 00:00:54,310 --> 00:00:56,340 So let's do a quick scan with nmap. 18 00:00:56,340 --> 00:00:59,730 19 00:00:59,730 --> 00:01:01,920 And we see that port 22 is open. 20 00:01:01,920 --> 00:01:04,505 21 00:01:04,505 --> 00:01:07,690 And it says it's running ssh. 22 00:01:07,690 --> 00:01:12,610 Let's do a quick service scan, operating system scan. 23 00:01:12,610 --> 00:01:27,890 24 00:01:27,890 --> 00:01:28,910 And it came back. 25 00:01:28,910 --> 00:01:34,250 It's running OpenSSH 7.2 for Ubuntu. 26 00:01:34,250 --> 00:01:36,890 Using Ubuntu 2.6. 27 00:01:36,890 --> 00:01:38,720 It says Ubuntu Linux. 28 00:01:38,720 --> 00:01:47,060 And the fingerprint also comes back, well, with a fingerprint. 29 00:01:47,060 --> 00:01:48,573 Doesn't really mean much to me. 30 00:01:48,573 --> 00:01:49,865 So there's no exact OS matches. 31 00:01:49,865 --> 00:01:52,370 32 00:01:52,370 --> 00:01:56,160 But the software is the Ubuntu version of OpenSSH. 33 00:01:56,160 --> 00:01:58,520 So that's the dead giveaway. 34 00:01:58,520 --> 00:02:03,770 How this works is normally do ssh and then a user root. 35 00:02:03,770 --> 00:02:06,890 It's almost on every Linux machine. 36 00:02:06,890 --> 00:02:09,230 Root @ our IP address. 37 00:02:09,230 --> 00:02:13,410 38 00:02:13,410 --> 00:02:17,460 And it says, hey, authentication can't be established. 39 00:02:17,460 --> 00:02:22,380 Here is the fingerprint, the SHA256. 40 00:02:22,380 --> 00:02:24,960 Are you sure you want to continue connecting? 41 00:02:24,960 --> 00:02:26,760 Normally, we would check that, make sure 42 00:02:26,760 --> 00:02:29,580 that it's what we expect for that machine. 43 00:02:29,580 --> 00:02:31,260 We'll say yes. 44 00:02:31,260 --> 00:02:32,220 Have to type out yes. 45 00:02:32,220 --> 00:02:36,590 46 00:02:36,590 --> 00:02:41,000 It says, welcome to attack defense ssh recon lab!! 47 00:02:41,000 --> 00:02:42,710 That is the banner. 48 00:02:42,710 --> 00:02:44,660 We haven't even authenticated, and it already 49 00:02:44,660 --> 00:02:53,590 told us that it is what the name of it is. 50 00:02:53,590 --> 00:02:56,680 Now, it's asking for root's password. 51 00:02:56,680 --> 00:03:02,900 Try, like, password123. 52 00:03:02,900 --> 00:03:07,490 And you get three chances usually for a password. 53 00:03:07,490 --> 00:03:08,750 We'll just exit out of that. 54 00:03:08,750 --> 00:03:14,300 55 00:03:14,300 --> 00:03:16,310 Now that we've seen what service is running, 56 00:03:16,310 --> 00:03:20,240 and we've kind of connected to it-- oh. 57 00:03:20,240 --> 00:03:23,030 Let's Netcat to it. 58 00:03:23,030 --> 00:03:27,380 Rather than using the ssh tool, we will just 59 00:03:27,380 --> 00:03:37,650 utilize Netcat, which will connect, and it says 22. 60 00:03:37,650 --> 00:03:39,690 Connect to port 22. 61 00:03:39,690 --> 00:03:41,460 And that gives us this banner, which 62 00:03:41,460 --> 00:03:44,490 is how it did the fingerprint scan before. 63 00:03:44,490 --> 00:03:50,750 64 00:03:50,750 --> 00:03:53,900 And it doesn't give us much more than that with Netcat. 65 00:03:53,900 --> 00:03:55,250 It's a protocol mismatch. 66 00:03:55,250 --> 00:03:57,920 But it still gave us the banner, which 67 00:03:57,920 --> 00:03:59,993 was useful for enumeration, which 68 00:03:59,993 --> 00:04:01,160 is what we're doing, really. 69 00:04:01,160 --> 00:04:07,092 70 00:04:07,092 --> 00:04:08,800 Now that we've seen the banner, and we've 71 00:04:08,800 --> 00:04:17,160 seen the welcome message, let's do some more enumeration 72 00:04:17,160 --> 00:04:20,100 on the machine, port 22. 73 00:04:20,100 --> 00:04:32,220 We're going to run the script, ssh2-enum-algos to enumerate 74 00:04:32,220 --> 00:04:33,540 all the algorithms. 75 00:04:33,540 --> 00:04:38,398 76 00:04:38,398 --> 00:04:39,190 And this is useful. 77 00:04:39,190 --> 00:04:40,810 It shows us all the algorithms that 78 00:04:40,810 --> 00:04:43,855 can be used to create that key. 79 00:04:43,855 --> 00:04:47,623 80 00:04:47,623 --> 00:04:49,290 We're going to want to write these down. 81 00:04:49,290 --> 00:04:51,900 And if we need them later, we have them. 82 00:04:51,900 --> 00:04:56,630 83 00:04:56,630 --> 00:05:00,980 What's really helpful is we want that rsa key. 84 00:05:00,980 --> 00:05:08,930 85 00:05:08,930 --> 00:05:15,440 It's the primary way that ssh actually 86 00:05:15,440 --> 00:05:17,900 encrypts through the rsa key. 87 00:05:17,900 --> 00:05:27,790 So we'll run the ssh-hostkey, passing 88 00:05:27,790 --> 00:05:37,060 some arguments, script args, of ssh hostkey equal to, 89 00:05:37,060 --> 00:05:38,170 and then we'll say full. 90 00:05:38,170 --> 00:05:46,730 91 00:05:46,730 --> 00:05:51,140 And it gives us the full ssh rsa hostkey. 92 00:05:51,140 --> 00:05:52,400 Definitely want to save this. 93 00:05:52,400 --> 00:05:53,930 That could be very useful later. 94 00:05:53,930 --> 00:05:58,290 95 00:05:58,290 --> 00:06:01,430 A couple more things we can check. 96 00:06:01,430 --> 00:06:05,933 Let's see if there are any weak passwords for ssh. 97 00:06:05,933 --> 00:06:07,100 We'll go back to our script. 98 00:06:07,100 --> 00:06:10,640 99 00:06:10,640 --> 00:06:12,190 And what we want to check for here 100 00:06:12,190 --> 00:06:22,780 is ssh-auth-methods to know what sort of authorization methods 101 00:06:22,780 --> 00:06:32,440 are being used for, in this case, ssh.user of student. 102 00:06:32,440 --> 00:06:33,860 It's always the intern. 103 00:06:33,860 --> 00:06:40,190 104 00:06:40,190 --> 00:06:43,440 And we see that there are no supported authentication 105 00:06:43,440 --> 00:06:48,545 methods for the user of student. 106 00:06:48,545 --> 00:06:51,890 107 00:06:51,890 --> 00:06:52,850 Well, that's dangerous. 108 00:06:52,850 --> 00:06:56,775 Let's try it for admin. 109 00:06:56,775 --> 00:07:05,590 110 00:07:05,590 --> 00:07:08,710 And we see that for the admin, there's 111 00:07:08,710 --> 00:07:09,910 a public key and a password. 112 00:07:09,910 --> 00:07:14,810 113 00:07:14,810 --> 00:07:19,820 So we saw that student doesn't actually have a password. 114 00:07:19,820 --> 00:07:33,110 So what we could do is a ssh student at the IP address. 115 00:07:33,110 --> 00:07:35,348 And we're in. 116 00:07:35,348 --> 00:07:36,890 We didn't have to tell it a password. 117 00:07:36,890 --> 00:07:37,515 We are student. 118 00:07:37,515 --> 00:07:50,240 119 00:07:50,240 --> 00:07:51,950 And it looks like it's a restricted user 120 00:07:51,950 --> 00:07:57,530 and doesn't have full controls. 121 00:07:57,530 --> 00:08:05,875 122 00:08:05,875 --> 00:08:07,250 But we can close that connection, 123 00:08:07,250 --> 00:08:09,020 and we're back on our own machine. 124 00:08:09,020 --> 00:08:14,150 125 00:08:14,150 --> 00:08:16,195 But generally, that's how SSH works. 126 00:08:16,195 --> 00:08:22,550 127 00:08:22,550 --> 00:08:25,770 We were able to enumerate the SSH service, 128 00:08:25,770 --> 00:08:31,020 find out that the administrator used a password or a key. 129 00:08:31,020 --> 00:08:36,059 We were able to pull the RSA hostkey. 130 00:08:36,059 --> 00:08:40,590 And we also saw that there was an unauthenticated user 131 00:08:40,590 --> 00:08:41,850 of student. 132 00:08:41,850 --> 00:08:47,630 That allowed us to actually pull a file remotely. 133 00:08:47,630 --> 00:08:50,380 So that was enumeration for SSH. 134 00:08:50,380 --> 00:08:52,500 We'll get a little bit deeper. 135 00:08:52,500 --> 00:08:53,000 8573