Re: Pen-test Freesshd 1.10

From: Jamie Riden (jamesr@europe.com)
Date: Fri Dec 22 2006 - 13:54:18 EST


On 22/12/06, Saehrig, Steven <ssaehrig@jeffersonradiology.com> wrote:
> Hello all,
>
> This is the first time sending to the list I would like to know some way
> to pen-test a sftp server I have setup on our network. I have tried nmap
> for open ports and I have tried metasploit for buffer overflows that I
> found on Google. Are there any programs or tricks I should know to try
> and break into this. I am basically proving the security of the
> application for production use.
> Thank you for any advise you can give me.

The last couple of SSH compromises I've seen were all through the use
of insecure passwords - e.g. upload/upload. Have you tried a
dictionary attack against the more common user names?

cheers,
 Jamie

-- 
Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com
NZ Honeynet project - http://www.nz-honeynet.org/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:30 EDT