2012-01-05 20:10:49 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
2012-02-21 01:40:50 +00:00
# web site for more information on licensing and terms of use.
# http://metasploit.com/
2012-01-05 20:10:49 +00:00
##
require 'msf/core'
require 'net/ssh'
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
require 'sshkey' # TODO: Actually include this!
2012-01-05 20:10:49 +00:00
class Metasploit3 < Msf :: Auxiliary
include Msf :: Auxiliary :: Scanner
include Msf :: Auxiliary :: AuthBrute
include Msf :: Auxiliary :: Report
def initialize
super (
'Name' = > 'SSH Public Key Acceptance Scanner' ,
'Description' = > %q{
This module can determine what public keys are configured for
key - based authentication across a range of machines , users , and
sets of known keys . The SSH protocol indicates whether a particular
key is accepted prior to the client performing the actual signed
authentication request . To use this module , a text file containing
one or more SSH keys should be provided . These can be private or
public , so long as no passphrase is set on the private keys .
2012-02-22 05:57:55 +00:00
2012-01-05 20:10:49 +00:00
If you have loaded a database plugin and connected to a database
this module will record authorized public keys and hosts so you can
track your process .
Key files may be a single public ( unencrypted ) key , or several public
keys concatenated together as an ASCII text file . Non - key data should be
silently ignored . Private keys will only utilize the public key component
stored within the key file .
} ,
'Author' = > [ 'todb' , 'hdm' ] ,
'License' = > MSF_LICENSE
)
register_options (
[
Opt :: RPORT ( 22 ) ,
OptPath . new ( 'KEY_FILE' , [ false , 'Filename of one or several cleartext public keys.' ] )
] , self . class
)
register_advanced_options (
[
OptBool . new ( 'SSH_DEBUG' , [ false , 'Enable SSH debugging output (Extreme verbosity!)' , false ] ) ,
2012-01-07 07:13:23 +00:00
OptBool . new ( 'SSH_BYPASS' , [ false , 'Verify that authentication was not bypassed when keys are found' , false ] ) ,
2012-01-05 20:10:49 +00:00
OptString . new ( 'SSH_KEYFILE_B64' , [ false , 'Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.' , '' ] ) ,
OptPath . new ( 'KEY_DIR' , [ false , 'Directory of several keys. Filenames must not begin with a dot in order to be read.' ] )
]
)
deregister_options ( 'RHOST' , 'PASSWORD' , 'PASS_FILE' , 'BLANK_PASSWORDS' , 'USER_AS_PASS' )
@good_credentials = { }
@good_key = ''
@strip_passwords = true
end
def key_dir
datastore [ 'KEY_DIR' ]
end
def rport
datastore [ 'RPORT' ]
end
def ip
datastore [ 'RHOST' ]
end
def read_keyfile ( file )
if file == :keyfile_b64
keyfile = datastore [ 'SSH_KEYFILE_B64' ] . unpack ( " m* " ) . first
elsif file . kind_of? Array
keyfile = ''
file . each do | dir_entry |
next unless :: File . readable? dir_entry
keyfile << :: File . open ( dir_entry , " rb " ) { | f | f . read ( f . stat . size ) }
end
else
keyfile = :: File . open ( file , " rb " ) { | f | f . read ( f . stat . size ) }
end
keys = [ ]
this_key = [ ]
in_key = false
keyfile . split ( " \n " ) . each do | line |
if line =~ / ssh-(dss|rsa) \ s+ /
keys << line
next
end
in_key = true if ( line =~ / ^-----BEGIN [RD]SA (PRIVATE|PUBLIC) KEY----- / )
this_key << line if in_key
if ( line =~ / ^-----END [RD]SA (PRIVATE|PUBLIC) KEY----- / )
in_key = false
keys << ( this_key . join ( " \n " ) + " \n " )
this_key = [ ]
end
end
if keys . empty?
print_error " #{ ip } : #{ rport } SSH - No valid keys found "
end
return validate_keys ( keys )
end
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
# Validates that the key isn't total garbage, and converts PEM formatted
# keys to SSH formatted keys.
2012-01-05 20:10:49 +00:00
def validate_keys ( keys )
keepers = [ ]
keys . each do | key |
if key =~ / ssh-(dss|rsa) /
keepers << key
next
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
else # Use the mighty SSHKey library from James Miller to convert them on the fly.
ssh_version = SSHKey . new ( key ) . ssh_public_key rescue nil
keepers << ssh_version if ssh_version
next
2012-01-05 20:10:49 +00:00
end
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
# Needs a beginning
next unless key =~ / ^-----BEGIN [RD]SA (PRIVATE|PUBLIC) KEY----- \ x0d? \ x0a /m
# Needs an end
next unless key =~ / \ n-----END [RD]SA (PRIVATE|PUBLIC) KEY----- \ x0d? \ x0a?$ /m
# Shouldn't have binary.
next unless key . scan ( / [ \ x00- \ x08 \ x0b \ x0c \ x0e- \ x1f \ x80- \ xff] / ) . empty?
# Add more tests to taste.
keepers << key
end
if keepers . empty?
print_error " #{ ip } : #{ rport } SSH - No valid keys found "
end
return keepers . uniq
end
def pull_cleartext_keys ( keys )
cleartext_keys = [ ]
keys . each do | key |
next unless key
next if key =~ / Proc-Type:.*ENCRYPTED /
this_key = key . gsub ( / \ x0d / , " " )
next if cleartext_keys . include? this_key
cleartext_keys << this_key
end
if cleartext_keys . empty?
print_error " #{ ip } : #{ rport } SSH - No valid cleartext keys found "
end
return cleartext_keys
end
def do_login ( ip , port , user )
if datastore [ 'KEY_FILE' ] and File . readable? ( datastore [ 'KEY_FILE' ] )
keys = read_keyfile ( datastore [ 'KEY_FILE' ] )
cleartext_keys = pull_cleartext_keys ( keys )
msg = " #{ ip } : #{ rport } SSH - Trying #{ cleartext_keys . size } cleartext key #{ ( cleartext_keys . size > 1 ) ? " s " : " " } per user. "
elsif datastore [ 'SSH_KEYFILE_B64' ] && ! datastore [ 'SSH_KEYFILE_B64' ] . empty?
keys = read_keyfile ( :keyfile_b64 )
cleartext_keys = pull_cleartext_keys ( keys )
msg = " #{ ip } : #{ rport } SSH - Trying #{ cleartext_keys . size } cleartext key #{ ( cleartext_keys . size > 1 ) ? " s " : " " } per user (read from datastore). "
elsif datastore [ 'KEY_DIR' ]
return :missing_keyfile unless ( File . directory? ( key_dir ) && File . readable? ( key_dir ) )
unless @key_files
2012-01-13 19:49:21 +00:00
@key_files = Dir . entries ( key_dir ) . reject { | f | f =~ / ^ \ x2e / }
2012-01-05 20:10:49 +00:00
end
these_keys = @key_files . map { | f | File . join ( key_dir , f ) }
keys = read_keyfile ( these_keys )
cleartext_keys = pull_cleartext_keys ( keys )
msg = " #{ ip } : #{ rport } SSH - Trying #{ cleartext_keys . size } cleartext key #{ ( cleartext_keys . size > 1 ) ? " s " : " " } per user. "
else
return :missing_keyfile
end
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
unless @alerted_with_msg
print_status msg
@alerted_with_msg = true
end
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
cleartext_keys . each_with_index do | key_data , key_idx |
key_info = " "
2012-03-18 05:07:27 +00:00
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
if key_data =~ / ssh \ -(rsa|dss) \ s+([^ \ s]+) \ s+(.*) /
2012-01-05 20:10:49 +00:00
key_info = " - #{ $3 . strip } "
end
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
accepted = [ ]
opt_hash = {
:auth_methods = > [ 'publickey' ] ,
:msframework = > framework ,
:msfmodule = > self ,
:port = > port ,
:key_data = > key_data ,
:disable_agent = > true ,
:record_auth_info = > true ,
:skip_private_keys = > true ,
:accepted_key_callback = > Proc . new { | key | accepted << key }
}
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
opt_hash . merge! ( :verbose = > :debug ) if datastore [ 'SSH_DEBUG' ]
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
begin
ssh_socket = Net :: SSH . start ( ip , user , opt_hash )
2012-03-18 05:07:27 +00:00
2012-01-07 07:13:23 +00:00
if datastore [ 'SSH_BYPASS' ]
data = nil
2012-03-18 05:07:27 +00:00
2012-01-13 19:49:21 +00:00
print_status ( " #{ ip } : #{ rport } SSH - User #{ user } is being tested for authentication bypass... " )
2012-03-18 05:07:27 +00:00
2012-01-07 07:13:23 +00:00
begin
:: Timeout . timeout ( 5 ) { data = ssh_socket . exec! ( " help \n id \n uname -a " ) . to_s }
rescue :: Exception
end
2012-03-18 05:07:27 +00:00
2012-01-13 19:49:21 +00:00
print_brute ( :level = > :good , :msg = > " User #{ user } successfully bypassed authentication: #{ data . inspect } " ) if data
2012-01-07 07:13:23 +00:00
end
2012-03-18 05:07:27 +00:00
2012-01-07 07:13:23 +00:00
:: Timeout . timeout ( 1 ) { ssh_socket . close } rescue nil
2012-03-18 05:07:27 +00:00
2012-01-05 20:10:49 +00:00
rescue Rex :: ConnectionError , Rex :: AddressInUse
return :connection_error
rescue Net :: SSH :: Disconnect , :: EOFError
return :connection_disconnect
rescue Net :: SSH :: AuthenticationFailed
rescue Net :: SSH :: Exception = > e
return [ :fail , nil ] # For whatever reason.
end
2012-02-22 05:57:55 +00:00
2012-01-05 20:10:49 +00:00
if accepted . length == 0
if @key_files
2012-01-13 19:49:21 +00:00
print_brute :level = > :verror , :msg = > " User #{ user } does not accept key #{ @key_files [ key_idx + 1 ] } #{ key_info } "
2012-01-05 20:10:49 +00:00
else
2012-01-13 19:49:21 +00:00
print_brute :level = > :verror , :msg = > " User #{ user } does not accept key #{ key_idx + 1 } #{ key_info } "
2012-01-05 20:10:49 +00:00
end
end
2012-02-22 05:57:55 +00:00
2012-01-05 20:10:49 +00:00
accepted . each do | key |
2012-01-13 19:49:21 +00:00
print_brute :level = > :good , :msg = > " Accepted: ' #{ user } ' with key ' #{ key [ :fingerprint ] } ' #{ key_info } "
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
do_report ( ip , rport , user , key , key_data )
2012-01-05 20:10:49 +00:00
end
end
end
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
def do_report ( ip , port , user , key , key_data )
return unless framework . db . active
2012-01-13 19:49:21 +00:00
keyfile_path = store_keyfile ( ip , user , key [ :fingerprint ] , key_data )
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
cred_hash = {
:host = > ip ,
:port = > rport ,
:sname = > 'ssh' ,
:user = > user ,
2012-01-13 19:49:21 +00:00
:pass = > keyfile_path ,
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
:source_type = > " user_supplied " ,
:type = > 'ssh_pubkey' ,
:proof = > " KEY= #{ key [ :fingerprint ] } " ,
:duplicate_ok = > true ,
2012-03-18 05:07:27 +00:00
:active = > true
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
}
this_cred = report_auth_info ( cred_hash )
end
2012-01-13 19:49:21 +00:00
def existing_loot ( ltype , key_id )
framework . db . loots ( myworkspace ) . find_all_by_ltype ( ltype ) . select { | l | l . info == key_id } . first
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
end
2012-01-13 19:49:21 +00:00
def store_keyfile ( ip , user , key_id , key_data )
safe_username = user . gsub ( / [^A-Za-z0-9] / , " _ " )
ktype = key_data . match ( / ssh-(rsa|dss) / ) [ 1 ] rescue nil
return unless ktype
ktype = " dsa " if ktype == " dss "
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
ltype = " host.unix.ssh. #{ user } _ #{ ktype } _public "
2012-01-13 19:49:21 +00:00
keyfile = existing_loot ( ltype , key_id )
return keyfile . path if keyfile
keyfile_path = store_loot (
ltype ,
" application/octet-stream " , # Text, but always want to mime-type attach it
ip ,
( key_data + " \n " ) ,
" #{ safe_username } _ #{ ktype } .pub " ,
key_id
)
return keyfile_path
Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
2012-01-09 04:28:37 +00:00
end
2012-01-05 20:10:49 +00:00
def run_host ( ip )
# Since SSH collects keys and tries them all on one authentication session, it doesn't
# make sense to iteratively go through all the keys individually. So, ignore the pass variable,
# and try all available keys for all users.
each_user_pass do | user , pass |
ret , proof = do_login ( ip , rport , user )
case ret
when :connection_error
2012-01-13 19:49:21 +00:00
vprint_error " #{ ip } : #{ rport } SSH - Could not connect "
2012-01-05 20:10:49 +00:00
:abort
when :connection_disconnect
2012-01-13 19:49:21 +00:00
vprint_error " #{ ip } : #{ rport } SSH - Connection timed out "
2012-01-05 20:10:49 +00:00
:abort
when :fail
2012-01-13 19:49:21 +00:00
vprint_error " #{ ip } : #{ rport } SSH - Failed: ' #{ user } ' "
2012-01-05 20:10:49 +00:00
when :missing_keyfile
2012-01-13 19:49:21 +00:00
vprint_error " #{ ip } : #{ rport } SSH - Cannot read keyfile "
2012-01-05 20:10:49 +00:00
when :no_valid_keys
2012-01-13 19:49:21 +00:00
vprint_error " #{ ip } : #{ rport } SSH - No readable keys in keyfile "
2012-01-05 20:10:49 +00:00
end
end
end
end