Posts Tagged ‘RumbleInc’
[DefCon32] Sshamble: Unexpected Exposures in the Secure Shell
The Secure Shell (SSH), a cornerstone of secure communication, powers a vast array of systems beyond traditional POSIX environments, from network devices to Windows file transfer tools. HD Moore and Rob King, security researchers at Rumble, Inc., delve into the lesser-known implementations of SSH, uncovering surprising vulnerabilities. Their presentation introduces “Sshamble,” an open-source tool designed to probe SSH services, revealing weaknesses in diverse implementations. With OpenSSH dominating 80% of deployments, HD and Rob explore the long tail of alternative servers, exposing flaws like null byte password acceptance in honeypots and key mismanagement.
Their journey, sparked by the XZ backdoor investigation, reveals tens of thousands of vulnerable SSH instances. By analyzing server behaviors and handshake anomalies, Sshamble empowers researchers to identify and exploit misconfigurations, urging a reevaluation of SSH’s assumed security.
The Landscape of SSH Implementations
HD outlines SSH’s evolution from a remote shell to a ubiquitous transport protocol, second only to TLS. While OpenSSH prevails, alternatives like Dropbear and niche libraries in devices and forges introduce variability. Their research uncovers servers accepting invalid credentials or mangled requests, often indicative of honeypots or flawed implementations. For instance, many honeypots accept null byte passwords, a trait absent in legitimate OpenSSH setups.
This diversity, while functional, creates an attack surface ripe for exploitation, as non-standard servers deviate from expected security models.
Sshamble: A Tool for Discovery
Rob introduces Sshamble, a versatile tool that scans SSH services across specified ports, performing handshakes to detect anomalies. It identifies honeypots by exploiting behaviors like accepting any public key or malformed passwords. The tool’s open-source release on GitHub encourages community contributions, enhancing its ability to catalog and test SSH implementations.
Demonstrations show Sshamble pinpointing vulnerable servers, including those misconfigured to accept arbitrary credentials, highlighting the need for rigorous server validation.
Exploiting SSH Weaknesses
HD details specific vulnerabilities, such as key generation issues in libraries and servers that bypass standard authentication. While client-side tools like PuTTY were not the focus, server-side flaws dominate, with some implementations ignoring protocol specifications. These gaps allow attackers to bypass authentication or inject malicious data, compromising systems.
The XZ backdoor, though not directly exploitable, inspired their broader exploration, revealing systemic issues in SSH ecosystems.
Mitigating SSH Risks
Rob emphasizes hardening SSH deployments through strict configuration and regular audits. Disabling null byte passwords, enforcing strong key management, and monitoring handshake behaviors mitigate risks. Sshamble aids defenders by identifying weak implementations, urging organizations to standardize on robust servers like OpenSSH.
The talk concludes with a call for ongoing research into SSH’s evolving attack surface, leveraging tools like Sshamble to bolster defenses.