Penetration Testing mailing list archives

Re: Pen-test Freesshd 1.10

From: "Jamie Riden" <jamesr () europe com>
Date: Sat, 23 Dec 2006 07:54:18 +1300

On 22/12/06, Saehrig, Steven <ssaehrig () jeffersonradiology com> wrote:

Hello all,

This is the first time sending to the list I would like to know some way
to pen-test a sftp server I have setup on our network. I have tried nmap
for open ports and I have tried metasploit for buffer overflows that I
found on Google. Are there any programs or tricks I should know to try
and break into this. I am basically proving the security of the
application for production use.
Thank you for any advise you can give me.


The last couple of SSH compromises I've seen were all through the use
of insecure passwords - e.g. upload/upload. Have you tried a
dictionary attack against the more common user names?

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr () europe com / jamie.riden () gmail com
NZ Honeynet project - http://www.nz-honeynet.org/

Current thread:

Pen-test Freesshd 1.10 Saehrig, Steven (Dec 21)
- RE: Pen-test Freesshd 1.10 Clemens, Dan (Dec 22)
- Re: Pen-test Freesshd 1.10 Jamie Riden (Dec 22)