Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: OpenSSH

OpenSSH

From: Jeremy Junginger <jjunginger_at_usbestcrm.com>
Date: Fri, 6 Sep 2002 11:41:33 -0700

Hello,

I am back again, and auditing an internally accessible ssh server for
the challenge-response buffer overflow. I'll keep it brief:

OS: RedHat Linux (6.2)
SSH Version: SSH-1.99-OpenSSH_3.1p1

I have already done the following:

Downloaded and extracted openssh-3.2.2p1.tar.gz
Patched the client with ssh.diff (patch < ssh.diff)
Compiled patched client ( ./configure && make ssh)
Run the "patched" ssh (./ssh x.x.x.x)

I am receiving the following output
./scanssh 172.16.51.23
[*] remote host supports ssh2
[*] server_user: root:skey
[*] keyboard-interactive method available
[x] bsdauth (skey) not available
Permission denied (publickey,password,keyboard-interactive).

I have not investigated any further, but don't feel comfortable calling
the service "secured" without a little peer review. Do you have any
tips on manipulating the method, style, repeats, chunk size, or
connect-back shellcode repeat? Any ideas will be greatly appreciated.
Thanks, and have a great day!

-Jeremy

  • application/x-pkcs7-signature attachment: smime_p7s
Received on Sep 06 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos