first round of SSL damage fixes

modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb

@@ -71,24 +71,27 @@ class MetasploitModule < Msf::Auxiliary
   def do_login(user, pass, ip)
     factory = ssh_socket_factory
     opts = {
-      :auth_methods => ['password'],
-      :port         => rport,
-      :disable_agent => true,
-      :config => false,
-      :password         => pass,
-      :record_auth_info => true,
-      :proxy            => factory,
-      :non_interactive => true
+      auth_methods:    ['password'],
+      port:            rport,
+      config:          false,
+      use_agent:       false,
+      password:        pass,
+      proxy:           factory,
+      non_interactive: true
     }
 
-    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
 
     begin
-      ssh = nil
-      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
-        ssh = Net::SSH.start(ip, user, opts)
+      ssh = ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        Net::SSH.start(ip, user, opts)
       end
-    rescue OpenSSL::Cipher::CipherError => e
+      if ssh
+        print_good("#{ip}:#{rport}- Login Successful with '#{user}:#{pass}'")
+      else
+        print_error "#{ip}:#{rport} - Unknown error"
+      end
+    rescue OpenSSL:Cipher::CipherError: e
       print_error("#{ip}:#{rport} SSH - Unable to connect to this Apache Karaf (#{e.message})")
       return
     rescue Rex::ConnectionError
@@ -101,16 +104,11 @@ class MetasploitModule < Msf::Auxiliary
       return
     rescue Net::SSH::AuthenticationFailed
       print_error "#{ip}:#{rport} SSH - Failed authentication"
-    rescue Net::SSH::Exception => e
+    rescue Net:SSH::Exception: e
       print_error "#{ip}:#{rport} SSH Error: #{e.class} : #{e.message}"
       return
     end
 
-    if ssh
-      print_good("#{ip}:#{rport}- Login Successful with '#{user}:#{pass}'")
-    else
-      print_error "#{ip}:#{rport} - Unknown error"
-    end
     ssh
   end
 

modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb

@@ -68,23 +68,21 @@ class MetasploitModule < Msf::Auxiliary
   end
 
   def check_vulnerable(ip)
-    options = {
-      :port => rport,
-      :auth_methods  => ['password', 'keyboard-interactive'],
-      :msframework   => framework,
-      :msfmodule     => self,
-      :disable_agent => true,
-      :config        => false,
-      :proxies       => datastore['Proxies']
+    opt_hash = {
+      port:          rport,
+      auth_methods:  ['password', 'keyboard-interactive'],
+      use_agent:     false,
+      config:        false,
+      proxies:       datastore['Proxies']
     }
 
     begin
-      transport = Net::SSH::Transport::Session.new(ip, options)
+      transport = Net::SSH::Transport::Session.new(ip, opt_hash)
     rescue Rex::ConnectionError
       return :connection_error
     end
 
-    auth = Net::SSH::Authentication::Session.new(transport, options)
+    auth = Net::SSH::Authentication::Session.new(transport, opt_hash)
     auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))
     auth_method = auth.allowed_auth_methods.join('|')
     print_status "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"
@@ -111,7 +109,7 @@ class MetasploitModule < Msf::Auxiliary
       :msframework   => framework,
       :msfmodule     => self,
       :port          => port,
-      :disable_agent => true,
+      :use_agent     => false,
       :config        => false,
       :proxies       => datastore['Proxies']
     }

modules/auxiliary/scanner/ssh/fortinet_backdoor.rb

@@ -47,7 +47,7 @@ class MetasploitModule < Msf::Auxiliary
       port:         rport,
       auth_methods: ['fortinet-backdoor'],
       proxy: factory,
-      :non_interactive => true
+      non_interactive: true
     }
 
     ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb

@@ -46,7 +46,7 @@ class MetasploitModule < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(22),
-        OptPath.new('KEY_FILE', [false, 'Filename of one or several cleartext public keys.'])
+        OptPath.new('KEY_FILE', [true, 'Filename of one or several cleartext public keys.'])
       ]
     )
 
@@ -210,10 +210,9 @@ class MetasploitModule < Msf::Auxiliary
         :port         => port,
         :key_data     => key_data[:public],
         :use_agent     => false,
-        :record_auth_info  => true,
-        :skip_private_keys => true,
         :config =>false,
-        :accepted_key_callback => Proc.new {|key| accepted << { :data => key_data, :key => key, :info => key_info } },
+        #:skip_private_keys => true,
+        #:accepted_key_callback => Proc.new {|key| accepted << { :data => key_data, :key => key, :info => key_info } },
         :proxy	  => factory,
         :non_interactive => true
       }
@@ -222,7 +221,7 @@ class MetasploitModule < Msf::Auxiliary
 
       begin
         ssh_socket = nil
-        ::Timeout.timeout(datastore['SSH_TIMEOUT']) { ssh_socket = Net::SSH.start(ip, user, opt_hash) } rescue nil
+        ::Timeout.timeout(datastore['SSH_TIMEOUT']) { ssh_socket = Net::SSH.start(ip, user, opt_hash) }
 
         if datastore['SSH_BYPASS'] and ssh_socket
           data = nil
@@ -257,8 +256,10 @@ class MetasploitModule < Msf::Auxiliary
       end
 
       accepted.each do |key|
-        private_key_present = (key[:data][:private]!="") ? 'Yes' : 'No'
-        print_brute :level => :good, :msg => "Public key accepted: '#{user}' with key '#{key[:key][:fingerprint]}' (Private Key: #{private_key_present}) #{key_info}"
+        private_key_present = (key[:data][:private] != "") ? 'Yes' : 'No'
+        key_fingerprint = key[:key][:fingerprint]
+        print_brute :level => :good, :msg => \
+          "Public key accepted: '#{user}' with key '#{key_fingerprint}' (Private Key: #{private_key_present}) #{key_info}"
         do_report(ip, rport, user, key)
       end
     end
@@ -352,9 +353,10 @@ class MetasploitModule < Msf::Auxiliary
   end
 
   def run_host(ip)
-    # Since SSH collects keys and tries them all on one authentication session, it doesn't
-    # make sense to iteratively go through all the keys individually. So, ignore the pass variable,
-    # and try all available keys for all users.
+    # Since SSH collects keys and tries them all on one authentication session,
+    # it doesn't make sense to iteratively go through all the keys
+    # individually. So, ignore the pass variable, and try all available keys
+    # for all users.
     each_user_pass do |user,pass|
       ret, _ = do_login(ip, rport, user)
       case ret

modules/exploits/apple_ios/ssh/cydia_default_ssh.rb

@@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::Remote::SSH
 
   def initialize(info={})
     super(update_info(info,
@@ -85,7 +86,6 @@ class MetasploitModule < Msf::Exploit::Remote
       :use_agent => false,
       :config => false,
       :password => pass,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }

modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb

@@ -74,16 +74,13 @@ class MetasploitModule < Msf::Exploit::Remote
   def do_login(user)
     factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
     opt_hash = {
-      :auth_methods => ['publickey'],
-      :msframework  => framework,
-      :msfmodule    => self,
-      :port         => rport,
-      :key_data     => [ key_data ],
-      :use_agent    => false,
-      :config       => false,
-      :record_auth_info => true,
-      :proxy => factory,
-      :non_interactive => true
+      auth_methods:       ['publickey'],
+      port:               rport,
+      key_data:           [ key_data ],
+      use_agent:          false,
+      config:             false,
+      proxy:              factory,
+      non_interactive:    true
     }
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
     begin

modules/exploits/linux/ssh/exagrid_known_privkey.rb

@@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::SSH
 
   def initialize(info = {})
     super(update_info(info, {
@@ -83,7 +84,6 @@ class MetasploitModule < Msf::Exploit::Remote
       password: 'inflection',
       port: rport,
       proxy: factory,
-      record_auth_info: true,
       non_interactive:  true
     }
     ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']

modules/exploits/linux/ssh/f5_bigip_known_privkey.rb

@@ -73,16 +73,13 @@ class MetasploitModule < Msf::Exploit::Remote
   def do_login(user)
     factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
     opt_hash = {
-      :auth_methods => ['publickey'],
-      :msframework  => framework,
-      :msfmodule    => self,
-      :port         => rport,
-      :key_data     => [ key_data ],
-      :use_agent => false,
-      :config => false,
-      :record_auth_info => true,
-      :proxy => factory,
-      :non_interactive => true
+      auth_methods:    ['publickey'],
+      port:            rport,
+      key_data:        [ key_data ],
+      use_agent:       false,
+      config:          false,
+      proxy:           factory,
+      non_interactive: true
     }
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
     begin

modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb

@@ -76,7 +76,6 @@ class MetasploitModule < Msf::Exploit::Remote
       :key_data     => [ key_data ],
       :use_agent => false,
       :config => false,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }

modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb

@@ -75,7 +75,6 @@ class MetasploitModule < Msf::Exploit::Remote
       :key_data     => [ key_data ],
       :use_agent => false,
       :config => false,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }

modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb

@@ -87,7 +87,6 @@ class MetasploitModule < Msf::Exploit::Remote
       :use_agent => false,
       :config => true,
       :password => pass,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }

modules/exploits/linux/ssh/symantec_smg_ssh.rb

@@ -91,7 +91,6 @@ class MetasploitModule < Msf::Exploit::Remote
       :use_agent => false,
       :config => false,
       :password => pass,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }

modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb

@@ -101,14 +101,11 @@ class MetasploitModule < Msf::Exploit::Remote
 
     factory = ssh_socket_factory
     opts = {
-      #:auth_methods => ['password', 'keyboard-interactive'],
       :auth_methods => ['publickey'],
       :port         => rport,
       :use_agent => false,
       :config => true,
       :key_data     => key_data,
-      #:password => pass,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }
@@ -125,7 +122,6 @@ class MetasploitModule < Msf::Exploit::Remote
       :use_agent => false,
       :config => true,
       :password => pass,
-      :record_auth_info => true,
       :proxy => factory,
       :non_interactive => true
     }

modules/exploits/unix/ssh/tectia_passwd_changereq.rb

@@ -186,7 +186,7 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def init_ssh(user)
-    opts       = {:user=>user, :record_auth_info=>true, :port=>rport}
+    opts       = {:user=>user, :port=>rport}
     options    = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)
     transport  = Net::SSH::Transport::Session.new(rhost, options)
     connection = Net::SSH::Connection::Session.new(transport, options)