Black Hat 2024: Secure Shells in Shambles [pdf]

hdmoore|1 year ago

The Secure Shell (SSH) protocol has survived as an internet-facing management protocol for almost 30 years. Over the decades it has transformed from a single patented codebase to a multitude of implementations available on nearly every operating system and network-connected device.

This presentation dives deep into the Secure Shell protocol, its popular implementations, what's changed, what hasn't, and how this leads to unexpected vulnerabilities and novel attacks. An open source tool, dubbed "sshamble", will be demonstrated, which reproduces these attacks and opens the door for further research.

https://github.com/runZeroInc/sshamble

mkj|1 year ago

I didn't realise the old ssh.com codebase was patented, apart from crypto patents like RSA (or IDEA?)

transpute|1 year ago

SSH and other services can be further protected by Single Packet Authentication (SPA), https://github.com/mrash/fwknop

> SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult.

jcynix|1 year ago

Every now and then I use GnuPG encrypted emails (or a web form) to my servers to open the firewall for certain IP addresses. If the server can decrypt such a message it can safely act on it.

The server's default is to only allow certain network ranges to access certain ports, e.g. from my local providers or employers networks.

hello_computer|1 year ago

So instead of exposing thoroughly tested OpenSSH to the web, I’m exposing this thing, which can also run shell commands…

ykonstant|1 year ago

That is interesting! Is this widely used or are there downsides I am not seeing?

mrbluecoat|1 year ago

> Tons of issues in the periphery

I wonder how TinySSH[1] compares

[1] https://github.com/janmojzis/tinyssh

tzury|1 year ago

a lot to grasp in this one. anyone know if a video is available ?

baby_souffle|1 year ago

Usually will be in the weeks or months after. I don’t know what the reasons are for the variance though.

If you use YouTube, subscribing there should get you notified when defcon starts releasing them all.

metadat|1 year ago

What is the fancy htop-like program displayed on page 44?

It reminds me of the DeLorean dashboard in Back To The Future :)

ffsm8|1 year ago

Reading your comment I was putting my money on a customized glances - but after checking the slide... Nope, that's just the default view for btop++ (first screenshot in the link)

https://github.com/aristocratos/btop

ndegruchy|1 year ago

It looks like btop. One of my favorites.

halJordan|1 year ago

Looks like bashtop

davidfiala|1 year ago

Great presentation.

As the founder of teclada.com, I'll also share that one of the biggest risks is not even technical but human:

  - not managing your SSH keys properly
  - not even knowing where they are
  - reuse, copying, etc
  - forgotten placement of keys in authorized_keys

And worst of all:

  - "no way I'm going to even consider changing any of it"
  - "our audit logs are .bash_history"

¯\_(ツ)_/¯

30 comments