Linux Remote Protocols

Overview

Linux systems commonly use various remote management protocols for secure access and file transfer. These protocols enable remote administration, file synchronization, and system management across networks.

SSH (Secure Shell)

Overview

SSH (Secure Shell) is a network protocol that enables secure network communication and remote access to network services. It uses encryption to secure the communication channel between client and server.

Key Characteristics:

• Port 22: Default SSH port

• Authentication: Public key, password, or certificate-based

• Encryption: AES, 3DES, ChaCha20-Poly1305

• Integrity: HMAC-SHA256, HMAC-SHA1

• Key Exchange: Diffie-Hellman, ECDH

SSH Features

• Secure Remote Access: Encrypted terminal sessions

• File Transfer: SCP and SFTP protocols

• Port Forwarding: Local and remote port forwarding

• Tunneling: Secure tunneling of other protocols

• X11 Forwarding: Remote GUI application access

SSH Authentication Methods

# Password authentication
ssh username@hostname

# Public key authentication
ssh -i private_key username@hostname

# Certificate-based authentication
ssh -i certificate username@hostname

SSH Configuration

# Client configuration (/etc/ssh/ssh_config)
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    PasswordAuthentication no
    PubkeyAuthentication yes

# Server configuration (/etc/ssh/sshd_config)
Port 22
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers normaluser

SSH Enumeration

# Banner grabbing
nc target 22
telnet target 22
nmap -p22 --script ssh-brute target

# SSH version detection
ssh -V
nmap -p22 --script ssh-hostkey target

# SSH algorithm enumeration
nmap -p22 --script ssh2-enum-algos target

SSH Security Issues

1. Weak Authentication: Default or weak passwords

2. Key Management: Unprotected private keys

3. Configuration: Insecure SSH daemon settings

4. Brute Force: Password guessing attacks

5. Version Vulnerabilities: Outdated SSH versions

Rsync

Overview

Rsync is a utility for efficiently transferring and synchronizing files between computers. It uses the rsync protocol to transfer only the differences between files, making it bandwidth-efficient.

Key Characteristics:

• Port 873: Default rsync daemon port

• Protocol: Custom rsync protocol over TCP

• Efficiency: Delta-sync algorithm (only transfers changes)

• Authentication: Module-based access control

• Encryption: Can tunnel through SSH

Rsync Modes

Mode	Description	Usage
Local	Files on same machine	rsync source destination
Remote Shell	SSH/RSH transport	rsync -e ssh source user@host:dest
Rsync Daemon	Native rsync protocol	rsync source rsync://host/module

Rsync Configuration

# Rsync daemon configuration (/etc/rsyncd.conf)
uid = nobody
gid = nobody
use chroot = yes
max connections = 10
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock

[backup]
    path = /backup
    comment = Backup files
    read only = false
    hosts allow = 192.168.1.0/24

Rsync Enumeration

# Check if rsync daemon is running
nmap -p873 target

# List available modules
rsync target::
rsync rsync://target/

# Enumerate module contents
rsync target::module_name/
rsync rsync://target/module_name/

# Download files
rsync -av target::module_name/file ./

Rsync Security Issues

1. Anonymous Access: Unauthenticated access to shares

2. Information Disclosure: Directory listings and file access

3. Data Exfiltration: Ability to download sensitive files

4. Configuration: Overly permissive access controls

5. Network Exposure: Rsync accessible from untrusted networks

R-Services (RSH, RCP, RLOGIN)

Overview

R-Services are a suite of remote access services developed for Unix systems. They provide remote shell access, file copying, and remote login capabilities. WARNING: R-Services are inherently insecure and should not be used in production environments.

R-Service Components

Service	Port	Description
RSH	514	Remote shell execution
RCP	514	Remote file copy
RLOGIN	513	Remote login

R-Service Authentication

R-Services use host-based authentication through:

• .rhosts: Per-user access control

• /etc/hosts.equiv: System-wide access control

• Trusted hosts: IP-based authentication

R-Service Configuration Files

# /etc/hosts.equiv (system-wide)
trusted_host
+trusted_user
-untrusted_user

# ~/.rhosts (per-user)
trusted_host trusted_user
+ +

R-Service Enumeration

# Check for R-Services
nmap -p513,514 target

# Banner grabbing
nc target 513
nc target 514

# RSH access attempt
rsh target command
rsh target -l username command

# RLOGIN access attempt
rlogin target
rlogin target -l username

R-Service Security Issues

1. No Encryption: All communication in plain text

2. Weak Authentication: Host-based authentication only

3. Information Disclosure: Verbose error messages

4. Privilege Escalation: Potential for root access

5. Network Sniffing: Credentials transmitted in clear text

Advanced Enumeration Techniques

SSH Advanced Enumeration

# SSH user enumeration
nmap -p22 --script ssh-enum-users target

# SSH host key fingerprinting
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

# SSH configuration analysis
ssh -T -o StrictHostKeyChecking=no target

# SSH tunneling detection
netstat -tlnp | grep :22

SSH Brute Force

# Hydra SSH brute force
hydra -l username -P passwords.txt ssh://target

# Patator SSH brute force
patator ssh_login host=target user=username password=FILE0 0=passwords.txt

# Custom SSH brute force
#!/bin/bash
for pass in $(cat passwords.txt); do
    sshpass -p $pass ssh username@target "echo success" 2>/dev/null && echo "Password found: $pass"
done

Rsync Advanced Enumeration

# Comprehensive rsync enumeration
rsync --list-only target::
rsync --list-only rsync://target/

# Recursive directory listing
rsync -r --list-only target::module/

# Test write permissions
echo "test" | rsync --partial - target::module/test.txt

R-Service Exploitation

# RSH command execution
rsh target "id; whoami; uname -a"

# RCP file transfer
rcp localfile target:remotefile
rcp target:remotefile localfile

# RLOGIN session
rlogin target
# If successful, you get a shell

Practical Examples

HTB Academy Style SSH Enumeration

# Step 1: Service detection
nmap -p22 -sV -sC target

# Step 2: SSH version and algorithms
nmap -p22 --script ssh-hostkey,ssh2-enum-algos target

# Step 3: User enumeration (if possible)
nmap -p22 --script ssh-enum-users --script-args userdb=users.txt target

# Step 4: Brute force (if permitted)
hydra -l admin -P passwords.txt ssh://target

# Step 5: Key-based authentication testing
ssh-keygen -t rsa -b 2048 -f testkey
ssh-copy-id -i testkey.pub user@target

HTB Academy Style Rsync Enumeration

# Step 1: Service detection
nmap -p873 target

# Step 2: List available modules
rsync target::
# Example output:
# backup          Backup files
# public          Public files

# Step 3: Enumerate module contents
rsync target::backup/
rsync target::public/

# Step 4: Download interesting files
rsync -av target::backup/passwords.txt ./
rsync -av target::public/config/ ./config/

HTB Academy Lab Questions Examples

# Question 1: "Which version of SSH is running on the target?"
nmap -p22 -sV target
# Look for: ssh OpenSSH 7.6p1
# Answer: 7.6p1

# Question 2: "What rsync modules are available?"
rsync target::
# Look for module names in output
# Answer: backup, public

# Question 3: "What files are in the backup module?"
rsync target::backup/
# Look for file listings
# Answer: passwords.txt, config.bak

# Question 4: "Extract the flag from the rsync share"
rsync -av target::backup/flag.txt ./
cat flag.txt
# Answer: HTB{...}

Security Assessment

SSH Security Assessment

# Check SSH configuration
ssh -T -o StrictHostKeyChecking=no target 2>&1 | grep -E "debug|config"

# Test weak authentication
ssh user@target
ssh root@target

# Check for SSH vulnerabilities
nmap -p22 --script ssh-vuln* target

Rsync Security Assessment

# Test anonymous access
rsync target::

# Check for write permissions
echo "test" | rsync - target::module/test.txt

# Enumerate sensitive files
rsync target::module/ | grep -E "passwd|shadow|key|config"

R-Service Security Assessment

# Test R-Service access
rsh target "id"
rlogin target

# Check for trusted hosts
rsh target "cat /etc/hosts.equiv"
rsh target "cat ~/.rhosts"

Enumeration Checklist

SSH Enumeration

• Port scan for SSH (22/tcp)

• Version detection and banner grabbing

• Algorithm enumeration

• User enumeration

• Authentication method testing

• Configuration analysis

• Vulnerability scanning

Rsync Enumeration

• Port scan for rsync (873/tcp)

• Module enumeration

• Anonymous access testing

• Directory listing

• File download testing

• Write permission testing

• Sensitive file identification

R-Service Enumeration

• Port scan for R-Services (513,514/tcp)

• Service availability testing

• Authentication bypass attempts

• Command execution testing

• File transfer testing

• Configuration file analysis

Common Vulnerabilities

SSH Vulnerabilities

• CVE-2018-15473: OpenSSH user enumeration

• CVE-2016-10009: OpenSSH privilege escalation

• CVE-2008-5161: OpenSSH client vulnerability

Rsync Vulnerabilities

• CVE-2014-9512: Rsync path traversal

• CVE-2011-1097: Rsync daemon security bypass

R-Service Vulnerabilities

• Inherent Design Flaws: No encryption, weak authentication

• CVE-1999-0651: R-Services buffer overflow

• CVE-1999-0025: R-Services authentication bypass

Tools and Techniques

SSH Tools

# Connection tools
ssh                  # SSH client
scp                  # Secure copy
sftp                 # SSH file transfer
ssh-keygen          # Key generation
ssh-copy-id         # Key deployment

# Enumeration tools
nmap                 # Network scanning
hydra                # Brute force
patator              # Authentication testing

Rsync Tools

# Basic tools
rsync                # Rsync client
nmap                 # Service detection

# Custom enumeration
#!/bin/bash
# Rsync enumerator
target=$1
modules=$(rsync $target:: 2>/dev/null | awk '{print $1}')
for module in $modules; do
    echo "=== Module: $module ==="
    rsync $target::$module/ 2>/dev/null
done

R-Service Tools

# R-Service clients
rsh                  # Remote shell
rcp                  # Remote copy
rlogin               # Remote login

Defensive Measures

SSH Hardening

# Secure SSH configuration
# /etc/ssh/sshd_config
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers normaluser
DenyUsers root

Rsync Security

# Secure rsync configuration
# /etc/rsyncd.conf
uid = nobody
gid = nobody
use chroot = yes
max connections = 10
timeout = 300
refuse options = delete
reverse lookup = no

[secure_backup]
    path = /backup
    read only = true
    hosts allow = 192.168.1.0/24
    hosts deny = *
    auth users = backup_user
    secrets file = /etc/rsyncd.secrets

R-Service Mitigation

# Disable R-Services (recommended)
systemctl stop rsh
systemctl stop rlogin
systemctl disable rsh
systemctl disable rlogin

# Remove R-Service packages
apt remove rsh-client rsh-server
apt remove rlogin

Best Practices

SSH Best Practices

1. Use key-based authentication only

2. Disable root login

3. Change default port

4. Use fail2ban for brute force protection

5. Regular security updates

6. Monitor SSH logs

Rsync Best Practices

1. Use authentication and encryption

2. Restrict network access

3. Use read-only shares when possible

4. Monitor rsync logs

5. Regular security audits

R-Service Recommendations

1. Do not use R-Services in production

2. Replace with SSH

3. Disable all R-Services

4. Use secure alternatives

5. Regular security assessments