SSH-FTP Peach Pit Datasheet
Peach Fuzzer, LLC
v3.6.94Copyright © 2015 Peach Fuzzer, LLC. All rights reserved.
This document may not be distributed or used for commercial purposes without
the explicit consent of the copyright holders.
Peach Fuzzer® is a registered trademark of Peach Fuzzer, LLC.
Peach Fuzzer contains Patent Pending technologies.
While every precaution has been taken in the preparation of this book, the
publisher and authors assume no responsibility for errors or omissions, or for
damages resulting from the use of the information contained herein.
Peach Fuzzer, LLC
1122 E Pike St
Suite 1064
Seattle, WA 98112
SSH File Transfer Protocol (SFTP)
• Peach Pit: SSH-FTP• Direction: Server
• Supported Platforms: Windows, Linux, OSX
The SSH File Transfer Protocol provides a way for clients to securely transfer files over a reliable data stream. The transport protocol assumes that a secure channel has already been established over SSH; no details of authentication and identity management are covered in this specification.
The SSH File Transport Protocol is closer in functionality to a remote filesystem protocol than to FTP over SSH. Unlike FTP, SFTP allows for the exchange of file attributes such as timestamps and access times.
Specifications
Specification Title
Draft IETF Secsh Filexfer 03 SSH File Transfer Protocol
Use Cases
Messages Specification
Supported Features
Supported Features Specification
INIT Draft IETF Secsh Filexfer 03 (section 4.1)
OPEN Draft IETF Secsh Filexfer 03 (section 6.3)
CLOSE Draft IETF Secsh Filexfer 03 (section 6.3)
READ Draft IETF Secsh Filexfer 03 (section 6.4)
WRITE Draft IETF Secsh Filexfer 03 (section 6.4)
LSTAT Draft IETF Secsh Filexfer 03 (section 6.8)
FSTAT Draft IETF Secsh Filexfer 03 (section 6.8)
SETSTAT Draft IETF Secsh Filexfer 03 (section 6.9)
FSETSTAT Draft IETF Secsh Filexfer 03 (section 6.9)
OPENDIR Draft IETF Secsh Filexfer 03 (section 6.7)
READDIR Draft IETF Secsh Filexfer 03 (section 6.7)
REMOVE Draft IETF Secsh Filexfer 03 (section 6.5)
MKDIR Draft IETF Secsh Filexfer 03 (section 6.6)
RMDIR Draft IETF Secsh Filexfer 03 (section 6.6)
REALPATH Draft IETF Secsh Filexfer 03 (section 6.11)
STAT Draft IETF Secsh Filexfer 03 (section 6.8)
RENAME Draft IETF Secsh Filexfer 03 (section 6.5)
READLINK Draft IETF Secsh Filexfer 03 (section 6.10)
SYMLINK Draft IETF Secsh Filexfer 03 (section 6.10)
Configuration
Target Configuration
Scope
This pit is used to fuzz the SFTP channel for a server running SSH. The default test fuzzes the SSH File Transfer Protocol after an SSH connection has been established; options such as authentication type and encryption scheme are not relevant to testing.
This fuzzing definition is not compatible with OpenSSH version 6.6, as it does not implement the same version of the SSH FTP protocol. This pit covers SFTP Draft Version 3.
User privileges
As SFTP covers remote filesystem operations, the user specified in the login parameters must have privileges for all commands covered by SFTP. The remote user should be able to:
• create/delete/rename files, symlinks and directories • open and close files and directories
• view directory listings and navigate file paths • perform read and write file operations
SSH connection details
This pit relies on a publisher to establish and maintain an SSH connection. By default, the publisher allows infinite wait periods and handles re-establishing dropped connections. While default SSH configuration parameters should be sufficient for pit testing, not all combinations of timeout limits and reconnection policies have been verified.
Disabling reverse DNS lookup improves the efficiency of the initial SSH connection and allows for faster pit test iterations.
Required Parameters
Username
The name of the server user
Host
The address of the server under test
The password of the server user used to authenticate for SSH
Optional Pit Configuration Changes: Server Pathnames
FilePath1
Full pathname of first file to be created on the server
FilePath2
Full pathname of second file to be created on the server
LinkPath
Full pathname of symlink to be created on the server
DirPath
Full pathname of directory to be created on the server
Optional Pit Configuration Changes: Local Pathnames
PitLibraryPath
Path to the relative base directory where all pits are stored.
Running
Prior to starting Peach, verify the extention DLL, SshPublisher.dll has been copied into the Peach
binaries folder. If an error occurs saying the publisher is not found, recompile the extention using the current version of Peach.
Single Test Debug Run
peach -1 --debug SSH-FTP_Server.xml
Full Test Run
Example Configuration: Peach Configuration
Example configuration targeting an SSH server.Listing 1. Sample Peach Configuration File
<?xml version="1.0" encoding="utf-8"?>
<PitDefines>
<All>
<String key="LoggerPath"
value="logs/ssh-ftp"
name="Logger Path"
description="The directory where Peach will save the log produced when fuzzing." />
<Strategy key="Strategy"
value="Random"
name="Mutation Strategy"
description="The mutation strategy to use when fuzzing." />
<String key="PitLibraryPath"
value="."
name="Pit Library Path"
description="The path to the root of the pit library."/>
<!-- Publisher parameters -->
<String key="Username"
value="somebody"
name="Username"
description="The name of the server user."/>
<String key="Host"
value="127.0.0.1"
name="Host IP Address"
description="The address of the server under test."/>
<String key="Password"
value="changeme"
name="Host SSH Password"
description="The password of the SSH server."/>
<!-- Pathname values -->
<String key="FilePath1"
value="/test1"
name="File Pathname 1"
description="Full pathname of first file to be created on the server."/>
<String key="FilePath2"
value="/test2"
name="File Pathname 2"
description="Full pathname of second file to be created on the server."/>
<String key="LinkPath"
value="/testlink"
name="Symlink Pathname"
description="Full pathname of symlink to created on the server."/>
<String key="DirPath"
value="/testdir"
name="Directory Pathname"
description="Full pathname of directory to created on the server."/>
</All> </PitDefines>
Example Configuration: Fuzzing Environment
The network simulator eNSP may be used to create a fuzzing target. The cloud interface feature in eNSP may be used to connect the simulation to a network interface.Configuration Steps
• Create a virtual router with the configuration settings below (may be imported as .cfg file). • Create a cloud with a two-way communication channel enabled. Add two interfaces:
◦ One UDP port
◦ One Ethernet port using a virtual network interface • Create a direct connection between cloud and router. • Load the configuration file below onto the virtual router.
Setup Diagram
Figure 1. eNSP Configuration Diagram
Configuration File
Listing 2. Sample eNSP Configuration File
#
snmp-agent local-engineid 800007DB03000000000000 snmp-agent
#
clock timezone Indian Standard Time minus 05:13:20
clock daylight-saving-time Day Light Saving Time repeating 12:32 9-1 12:32 11-23 00:00 2005 2005
#
portal local-server load portalpage.zip #
drop illegal-mac alarm #
set cpu-usage threshold 80 restore 75 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin
local-user test password cipher %$%$.Y!m%hLR;'QN%Q!%9r!(KZgh%$%$ local-user test privilege level 15
local-user test service-type telnet ssh
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http
#
firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 192.168.83.2 255.255.255.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # sftp server enable # user-interface con 0 authentication-mode password user-interface vty 0 4
authentication-mode aaa user privilege level 15 protocol inbound ssh user-interface vty 16 20 # wlan ac # 13
