hackgear/sshpta
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
sshpta (alpha) v0.22
SSH Pen Tester Automation
===
sshpta is an SSH automation tool specifically aimed at
saving penetration testers time when they have to carry
out reptitive tasks against multiple target SSH hosts.
The tool was initially created as a simple way to login
using interactive password based authentication to multiple
hosts and run a set of commands. The tool has evolved to
try and help with privilege escalation on target hosts,
allow running of a provided shell script on remote hosts
along with the retrival of results and finally now should
allow key based authentication.
===
Dependencies:
apt-get install libssh2-1-dev libssh2-php
===
Usage:
-t Target List File or Target
-u User List File or User
-p Password List File or Password
-c Command List File or Command
php ./sshpta.php -t ./targets.txt -u user -p ./password.txt -c ./command_list.txt
The script first determines if a file exists for each parameter
otherwise a single instance can be entered.
-l Enable Logging to this directory
php ./sshpta.php -t ./targets.txt -u user -p ./password.txt -c ./command_list.txt -l ./logs/
-b Specifiy a local shell script to run on remote host(s)
The script excutes the script within a /tmp/ working directory
and anything stored in the working directory is retrieved
i.e. ps aux > ./ps_aux.txt
id > ./id.txt
cp /etc/passwd ./passwd.txt
You must specify a local log directory for incoming .tar.gz files
containing output
-m Max command execution time (seconds)
-d Adjust the command delay overide option {[sshpta-delay}} (seconds)
===
Replacements:
The following can be used in the command list to be replaced with
current values - mainly for priv esc:
{{sshpta-username}}
{{sshpta-password}}
In addition to these replacements the command end detection can be turned off
for a single command and split up with by usig the value {{sshpta-delay}}
wihtin a single command line.
i.e. su -{{sshpta-delay}}<INSERT ROOT PASSWORD HERE>
Would cause su - to be send then trigger a delay then send the password
{{sshpta-delay}} is 2 seconds by default but can be modified by -d parameter
Simple example:
php ./sshpta.php -t ./targets.txt -u ./users.txt -p ./password.txt
-c 'su -{{sshpta-delay}}r00tp4ssw0rd{{sshpta-delay}}id'
===
Priv Esc and Local Shell Scripts:
The order by which the script works means that commands specified
in command list are executed run before the shell script allowing
for priv esc if required.
===
Target File Format:
Can either just be a Hostname/IP (Defaults to port 22):
example.com
Hostname/IP and Port:
example.com:2222
Hostname/IP and Port and Password (For use where you
have a password per host)
example.com:22:P455w0rd
===
Key-Based Authentication (Experimental):
A very hacked together approach I know but by providing a 'password'
in the following format should allow key based authentication to be used.
<publickey-file>{{sshpta-key}}<privatekey-file>{{sshpta-key}}<passphrase>
===
Predicted issues:
* /tmp/ is sometimes marked as non-exec therefore local
bash script option will not work. Planned fixes.
* tar is assumed to be present on remote system etc.
want to build in more error checking to run remote
host checks
* Remote permissions are not great, very 'hacky'
===
TODO:
* More Error Checking
* Multi-Thread
* Add built in host enumeration option / priv esc vector checker