-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh_login bugged on non-standard devices #9519
Comments
Nice! By the way, I did figure out how to access a few local Juniper and other targets (d'oh, they were just powered off), so we will be able do some local testing here as well. |
I want to say the most substantial thing we did here was switch from a local fork of net-ssh to upstream https://github.com/net-ssh/net-ssh. net-ssh can also be used outside of Metasploit, so we can tell if this is an upstream issue, or something to do with how Metasploit is using it. |
I think a common thread with these is the targets don't have real shells, but just implement a raw command dispatcher. Seems similar to ansible/ansible#30224 Currently reading the https://net-ssh.github.io/net-ssh/Net/SSH/Connection/Session.html#method-i-open_channel docs to see how to setup a raw session. I think @wvu needed this for an exploit module as well. |
It looks like as long as we don't call the |
Since the remote hosts here do not support the 'exec' channel type, we need to send_channel_request("shell", ...) to get a raw shell instead. There aren't wrappers in net-ssh for this, so CommandStream needs to do it directly I think. |
This is the kind of thing we're looking for: https://github.com/mitchellh/net-ssh-shell/blob/master/lib/net/ssh/shell.rb#L153 |
For the record (apologies for repeating myself), sending a shell channel request did not work for me with Fortinet. I received an "unknown admin user" error. I will give #9524 a test as soon as I'm able. Hopefully my code was just wrong. Thanks! |
@busterb you mentioned you found a screenOS. What hardware and screen os version? My SSG5 is still not working after patch.
|
SSG-520M-SH running 6.0.0r4.0 |
I had a few emails with @bcook-r7 about this, but at some point between #6731 and now, a bug was introduced into
ssh_login
. When going interactive on non-standard shell sessions, you get no feedback, and i doubt the inputs are being sent to the device, or other similar errors.Working against OpenSSH Server
Broken Juniper SSG5
This is the same device as in #6731
I'll also note on this that the RECV light on the switch does not light up when the commands are sent (as it does each key press during a standard ssh client session). However, normal ssh works fine.
Broken Juniper SSG5 Emulator
The juniper ssh emulator is also not working any more (although it works against a standard ssh client). Id be more inclined to believe my python script was broken, but standard ssh client works fine.
vs
and the ssh side:
@bcook-r7 was able to confirm something similar but different against a Sun baseband controller
I'll also note it does seem to detect a valid login on the ssg5:
The text was updated successfully, but these errors were encountered: