Commit Graph

233 Commits (5171e7edd27afcdf64bb1c49e4d0bd455d7b73a2)

Author SHA1 Message Date
RageLtMan 33c74c97e2 Add Opt::Proxies and opthash[:proxies] to ssh mods 2012-08-12 16:23:22 -04:00
RageLtMan c9690033c7 This commit allows ssh_login to use socks proxies. Net::SSH::Transport::Session could take a :proxy option,
but it expects a factory object not a string, when setting :proxy => datastore['Proxies'] user got:
"Auxiliary failed: NoMethodError private method `open' called for \"socks4:localhost:1080\":String."
VALID_OPTIONS in ssh.rb now takes :proxies option which is passed to the Rex socket in
Net::SSH::Transport::Session.new.

Testing: block all outgoing to SSH server, try to connect with a proxy. Try with :proxy option,
then merge this pull request and try again.
2012-08-12 16:01:52 -04:00
HD Moore f5533c5298 Enforce a timeout in the ssh handshake (avoid hangs in some cases) 2012-06-12 15:19:01 -05:00
sinn3r 3f0431cf51 Massive whitespace destruction
Remove whitespace found at the end of the line
2012-06-06 00:36:17 -05:00
sinn3r c30af98b53 Massive whitespace destruction
Remove all the lines that have nothing but whitespace
2012-06-06 00:22:36 -05:00
HD Moore 2ad17299e2 Handle cisco devices better with ssh logins 2012-05-31 14:59:24 -05:00
David Maloney 9e7acf3a57 left debug statement in module 2012-05-29 20:23:56 -05:00
David Maloney df85e4f586 Remove trailing comma 2012-05-21 16:28:02 -05:00
David Maloney 17943c7a48 Makes it so we don't ever use local config files for Net::SSH
Also makes sure that the :config =>false option keeps
Net:SSH from meddling with knowns_hosts too
2012-05-21 16:09:08 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
James Lee 464cf7f65f Normalize service names
Downcases lots and standardizes a few.  Notably, modules that reported a
service name of "TNS" are now "oracle".  Modules that report http
now check for SSL and report https instead.

[Fixes #6437]
2012-02-21 22:59:20 -07:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
Tod Beardsley 4ac6c0c3ee A great big pile of fixes to the ssh scanners
Not sure how this managed to fall out of master -- some of these fixes
are five days old, and should certianly have been merged in prior to
just now.
2012-01-13 13:49:21 -06:00
Tod Beardsley a1668f2b23 Adds SSHKey gem and some other ssh goodies
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.

Squashed commit of the following:

commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Jan 8 22:23:32 2012 -0600

    Updates ssh credentials to easily find common keys

    Instead of making the modules do all the work of cross-checking keys,
    this introduces a few new methods to the Cred model to make this more
    universal.

    Also includes the long-overdue workspace() method for credentials.

    So far, nothing actually implements it, but it's nice that it's there
    now.

commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Jan 8 20:10:40 2012 -0600

    Adding back cross-checking for privkeys.

    Needs to test to see if anything depends on order, but should
    be okay to mark up the privkey proof with this as well.

commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Jan 8 16:49:56 2012 -0600

    Add SSHKey gem, convert PEM pubkeys to SSH pubkeys

commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Jan 8 13:51:55 2012 -0600

    Store pubkeys as loot for reuse.

    Yanked cross checking for now, will drop back in before pushing.

commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Jan 8 02:10:12 2012 -0600

    Fixes up a couple typos in ssh_identify_pubkeys

commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sat Jan 7 17:18:33 2012 -0600

    Updates to ssh_identify_pubkeys and friends

    Switches reporting to cred-based rather than note-based, accurately deal
    with DSA keys, adds disable_agent option to other ssh modules, and
    reports successful ssh_login attempts pubkey fingerprints as well.

    This last thing Leads to some double accounting of creds, so I'm not
    super-thrilled, but it sure makes searching for ssh_pubkey types a lot
    easier.... maybe a better solution is to just have a special method for
    the cred model, though.
2012-01-08 22:28:37 -06:00
HD Moore b12baccc49 Quick update, added a research option 2012-01-07 01:13:23 -06:00
HD Moore 7b26e33e19 Initial version 2012-01-06 00:53:50 -06:00
James Lee 67120d4263 msftidy on aux modules, see #5749 2011-11-20 13:12:07 +11:00
David Maloney c984ea41d1 Quick fix to cred sourcing to eliminate spaces in the source type 2011-11-10 20:39:13 -08:00
David Maloney a88f954640 More Cred Sourcing
git-svn-id: file:///home/svn/framework3/trunk@14197 4d416f70-5f16-0410-b530-b9f4589650da
2011-11-09 01:49:57 +00:00
Tod Beardsley e9461c766e Msftidy run against a bunch of whitespace violations, a few line too longs.
git-svn-id: file:///home/svn/framework3/trunk@13962 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-17 02:42:01 +00:00
Carlos Perez 7ae1bbbb3f typo
git-svn-id: file:///home/svn/framework3/trunk@13904 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-13 01:49:36 +00:00
Carlos Perez a0c34d1c73 Sets a session platform when using ssh_login
git-svn-id: file:///home/svn/framework3/trunk@13903 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-13 01:48:42 +00:00
Tod Beardsley 486241cc99 SSH scanners shouldn't die just because they're on Windows and they try to talk to reserved addresses.
git-svn-id: file:///home/svn/framework3/trunk@13407 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-29 15:51:11 +00:00
James Lee 39c20b2935 cosmetic
git-svn-id: file:///home/svn/framework3/trunk@13174 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-14 20:27:25 +00:00
Tod Beardsley b9c5835b5e Touching up the ssh key login module to be smarter about duplicate user names, not be so chatty in its messaging to the console, deal with whitespace, and avoid storing duplicate keys when we don't need to.
git-svn-id: file:///home/svn/framework3/trunk@13162 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-13 20:51:18 +00:00
Tod Beardsley dc84ee6aab More fixups for ssh_login_pubkey and special handlers for long strings of keys.
git-svn-id: file:///home/svn/framework3/trunk@13156 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-12 20:58:25 +00:00
Tod Beardsley 04e2eb43ef Removing the load() line from ssh_login, just wanted it for dev.
git-svn-id: file:///home/svn/framework3/trunk@12980 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-20 19:23:00 +00:00
Tod Beardsley 6827495d17 Adds a # of passwords per username limiter to authbrute.
git-svn-id: file:///home/svn/framework3/trunk@12970 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-18 04:14:06 +00:00
Tod Beardsley db1619d035 Rejiggers the max credentials limiter a little, and adds a max time limiter per service.
git-svn-id: file:///home/svn/framework3/trunk@12967 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-17 22:40:25 +00:00
Tod Beardsley ab37580056 Refactored the AuthBrute mixin some to make the each_user_pass function a little cleaner and easier to maintain.
And maintain it I shall! Added in a standardized print_brute method to normalize the AuthBrute output to always include host, port, proto, and number of guesses over number remaining.

Also adds support for a MaxGuessesPerService datastore option for AuthBrute modules.

Currently, only ssh_login supports the new stuff, but now it's just a conversion matter. Will get to that in a bit.




git-svn-id: file:///home/svn/framework3/trunk@12958 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-16 22:08:45 +00:00
Joshua Drake 28ae2316a4 Fixes #4390, such a bute
git-svn-id: file:///home/svn/framework3/trunk@12578 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-10 20:52:59 +00:00
Tod Beardsley 3829d2606b Removing the un-used USER_AS_PASS option for ssh_login_pubkey.
git-svn-id: file:///home/svn/framework3/trunk@12411 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-22 21:05:27 +00:00
Tod Beardsley ea6b1bb626 Fixes #4190 by reseting self.ssh_socket after the connection is established.
git-svn-id: file:///home/svn/framework3/trunk@12402 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-22 15:32:00 +00:00
Tod Beardsley b91c81a182 Fixes #4074 -- corrects the affected regexes.
git-svn-id: file:///home/svn/framework3/trunk@12238 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-04 22:19:59 +00:00
Tod Beardsley 5f70c705c1 Committing the Kippo ssh honeypot detection as seen at AHA!.
git-svn-id: file:///home/svn/framework3/trunk@11817 4d416f70-5f16-0410-b530-b9f4589650da
2011-02-24 13:57:26 +00:00
Tod Beardsley 24388f3a38 Adding a CVE reference for weak/blank/guessable passwords.
git-svn-id: file:///home/svn/framework3/trunk@11465 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-04 15:30:17 +00:00
Joshua Drake 9c668b8daf Super-duper rservices commit -
1. Added rsh, rlogin, and rexec auth brute scanners
2. Login negotation moved into new Msf::Auxiliary::Login mixin
3. Centralized session registration for auth brute scanners
4. Telnet and SSH auth brute scanners updated to use new mixins
5. Previously committed rservices mixin (r11093)



git-svn-id: file:///home/svn/framework3/trunk@11106 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-23 01:23:24 +00:00
Jonathan Cran e295408327 typo!
git-svn-id: file:///home/svn/framework3/trunk@11103 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-22 22:43:34 +00:00
Joshua Drake 04858c69fc style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@10758 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-19 22:54:19 +00:00
Tod Beardsley c2938323cc Pretty much the same deal as r10592, but for SSH, which sometimes has similiar RST problems.
git-svn-id: file:///home/svn/framework3/trunk@10593 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-08 02:11:06 +00:00
HD Moore e939379b1b Fix missing end, use explicit Timeout class
git-svn-id: file:///home/svn/framework3/trunk@10366 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-18 04:15:32 +00:00
Tod Beardsley b023d89469 Wrap SSH and Telnet version checkers in a timeout, or else they sometimes hang forever.
git-svn-id: file:///home/svn/framework3/trunk@10365 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-18 03:00:19 +00:00
Tod Beardsley 6d6a547b34 Fixes #2412. Adds a creds table, modifies the db_report_auth API, adds the db_creds and db_add_cred commands.
git-svn-id: file:///home/svn/framework3/trunk@10034 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-18 00:58:20 +00:00
Joshua Drake f6033b9bd6 change some print_status to print_error, rename a few msft modules using msb convention
git-svn-id: file:///home/svn/framework3/trunk@9929 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-25 21:37:54 +00:00
Joshua Drake 0882838491 ensure binary mode when opening files, whitespace fixes
git-svn-id: file:///home/svn/framework3/trunk@9653 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-01 23:33:07 +00:00
Tod Beardsley 5f9680d902 Fixes #2133. This seems to handle many keyfiles pretty well, even if they're concatenated together. Calling it closed.
git-svn-id: file:///home/svn/framework3/trunk@9602 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-24 01:00:08 +00:00
Tod Beardsley d0e7736b2e See #2133 Ack dropping ugly timestamp
git-svn-id: file:///home/svn/framework3/trunk@9600 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-23 23:01:03 +00:00
Tod Beardsley dbdab1f282 See #2133. Needs more testing, but solves the immediate problem of dying in the face of MaxAuthTries.
git-svn-id: file:///home/svn/framework3/trunk@9599 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-23 22:58:56 +00:00
Tod Beardsley 613f288226 Fix up ssh_login_pubkey's session management for more effective session reuse.
git-svn-id: file:///home/svn/framework3/trunk@9563 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-19 15:03:27 +00:00
James Lee f440317225 store the name of the file we got the key from
git-svn-id: file:///home/svn/framework3/trunk@9300 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-14 06:00:06 +00:00
HD Moore d1c3b71fd4 Fix a typo
git-svn-id: file:///home/svn/framework3/trunk@9215 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-03 19:35:59 +00:00
Tod Beardsley 71a4ec6204 Pluralization.
git-svn-id: file:///home/svn/framework3/trunk@9214 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-03 18:43:44 +00:00
Joshua Drake 0ea6eca4bc big module whitespace/formatting cleanup pass
git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-30 08:40:19 +00:00
Tod Beardsley 08117ca000 Forcing :critical => true for report_auth_info
git-svn-id: file:///home/svn/framework3/trunk@9150 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-26 22:23:37 +00:00
Tod Beardsley a97e4c78bd Commit the key as :ssh_key, not :pass.
git-svn-id: file:///home/svn/framework3/trunk@9065 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-13 21:26:21 +00:00
Tod Beardsley 2a3b8ea57a Adds a module for scanning hosts for valid login credentials using unencrypted SSH private keys. Also completes the commit for r9059 to record auth_info hashes on successes.
git-svn-id: file:///home/svn/framework3/trunk@9062 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-13 19:21:48 +00:00
HD Moore ba12ddd280 Allow authbrute modules to use a single username/password in a sane way
git-svn-id: file:///home/svn/framework3/trunk@8945 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-27 23:52:43 +00:00
HD Moore 9cc4cab9ec Duplicate the datastore and manually set user/pass in the telnet/ssh modules
git-svn-id: file:///home/svn/framework3/trunk@8943 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-27 22:57:29 +00:00
James Lee 282c2fb2b2 targ_host --> target_host for consistency with other modules
git-svn-id: file:///home/svn/framework3/trunk@8906 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-25 00:40:50 +00:00
Tod Beardsley 83d96d713c Refactoring Auxiliary::AuthBrute. Now that several modules actually use it, the real use cases have become obvious. So, refactored for simplicity and readability. Also touched up all the authentication modules to behave consistently.
git-svn-id: file:///home/svn/framework3/trunk@8879 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-22 20:07:26 +00:00
HD Moore 9632f8251a Move OS-level fingerprints out, report note-level fingerprints instead
git-svn-id: file:///home/svn/framework3/trunk@8869 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-22 00:09:04 +00:00
HD Moore 480380003c Make verbose status printing standardized across login modules
git-svn-id: file:///home/svn/framework3/trunk@8866 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-21 18:42:47 +00:00
Tod Beardsley 4415e3fbbf Fixing up ssh_login reporting.
git-svn-id: file:///home/svn/framework3/trunk@8759 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-09 22:07:04 +00:00
Tod Beardsley a5e187bd69 Add the ability to slow down brute force sessions.
git-svn-id: file:///home/svn/framework3/trunk@8719 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-04 23:29:26 +00:00
Joshua Drake 7a37934a01 process autorun scripts for telnet_login and ssh_login
1. create session.process_autoruns in Msf::Sessions::CommandShell
2. call process_autoruns from within the handler on_session code
4. set user_input and user_output in sessions base set_from_exploit method
5. remove on_session from Msf::Sessions::CommandShellOptions
6. include CommandShellOptions into telnet_login and ssh_login
7. call sess.process_autoruns from telnet_login and ssh_login
8. celebrate (while crossing fingers of course)!

git-svn-id: file:///home/svn/framework3/trunk@8692 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-02 18:07:50 +00:00
HD Moore d5e07a3ba9 Change info
git-svn-id: file:///home/svn/framework3/trunk@8650 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-26 01:09:09 +00:00
James Lee 3961b9a3dd allow a single user/pass
git-svn-id: file:///home/svn/framework3/trunk@8645 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-25 22:44:13 +00:00
Tod Beardsley e7a7f254e4 Fixes SSH scanning in to recover in the face of tarpits and tcpwrappers and the like.
git-svn-id: file:///home/svn/framework3/trunk@8639 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-25 17:42:51 +00:00
HD Moore d148c95c84 The ssh login code can now create sessions
git-svn-id: file:///home/svn/framework3/trunk@8598 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-23 07:12:54 +00:00
HD Moore 9fc58c1e1f Collect command output and report it
git-svn-id: file:///home/svn/framework3/trunk@8569 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-20 16:06:01 +00:00
Tod Beardsley ab3b173040 So, funny story with net-ssh. Turns out, there's insufficient housekeeping on closing out connections in the event of authentication failures, which means you can start sucking up connections pretty good when you fail authentication a whole bunch of times. Fixed in the library, so now, if you pass a block to Net::SSH.start, and the authentication fails, the connection will still close out correctly, just as it would when the authentication succeeds.
Protip: If you don't pass a block, it's *still on the caller* to deal with the connection somehow. You'll want to basically always assign the connection to someplace you control, like so: sock = Net::SSH.start(whatever); sock.close). Otherwise, if you just Net::SSH.start without a block /or/ without assignment, you'll be stuck with all these useless connections hanging around.



git-svn-id: file:///home/svn/framework3/trunk@8556 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-19 03:02:25 +00:00
Tod Beardsley c24a708db6 See #859. Adds keyboard-interactive as an acceptable method of authentication.
git-svn-id: file:///home/svn/framework3/trunk@8548 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-18 16:11:58 +00:00
Tod Beardsley 4197f00701 Moves @credentials_tried and @credentials_good into auth_brute proper, though modules still
need to handle them themselves... which telnet and ssh both do now.



git-svn-id: file:///home/svn/framework3/trunk@8542 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-17 21:55:02 +00:00
Tod Beardsley 443e82bc75 Reworked ssh_login to a) handle all SSH errors, b) cease trying users if we already guessed a password and c) cease trying the same user:pass combo more than once.
git-svn-id: file:///home/svn/framework3/trunk@8540 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-17 20:12:02 +00:00
HD Moore 1686931efe More SSH versions
git-svn-id: file:///home/svn/framework3/trunk@8532 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-17 14:42:11 +00:00
Tod Beardsley 5fce04ce22 See #843, but this really just masks the problem. Investigate more thoroughly.
git-svn-id: file:///home/svn/framework3/trunk@8529 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-16 23:35:22 +00:00
Tod Beardsley 25ec6e8021 Removing the require rescues for SSH, now that it's shipping in lib directly.
git-svn-id: file:///home/svn/framework3/trunk@8528 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-16 23:21:51 +00:00
HD Moore 9c227ea0e7 Improved auxiliary detection
git-svn-id: file:///home/svn/framework3/trunk@8481 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-13 23:26:07 +00:00
Tod Beardsley 0e48287310 Adding a quickie ssh_login checker.
This will certainly change -- it's mostly just a placeholder now (though it does work).



git-svn-id: file:///home/svn/framework3/trunk@8472 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-12 23:00:36 +00:00
HD Moore 7390b1d42d Add and improve database reporting to existing scanner modules
git-svn-id: file:///home/svn/framework3/trunk@8131 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-15 03:25:34 +00:00
James Lee 53d9a9167d save the discovered version
git-svn-id: file:///home/svn/framework3/trunk@8036 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-30 18:23:03 +00:00
James Lee f85c522a07 don't try to parse an empty banner, fixes #373
git-svn-id: file:///home/svn/framework3/trunk@7186 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-18 18:23:19 +00:00
Patrick Webster d70d2c5d1e Added ssh_version.rb from Daniel van Eeden.
git-svn-id: file:///home/svn/framework3/trunk@6541 4d416f70-5f16-0410-b530-b9f4589650da
2009-05-11 02:46:59 +00:00