Remove SSH scanner using known_hosts

[kkirsche]

Fix #10266

This disables writing to the known_hosts file when performing auxiliary ssh scans.

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Verification

List the steps needed to make sure this thing works. This is described assuming a hackthebox.eu VIP membership. Replication can be made without this and a different RHOSTS value.

• Connect to HackTheBox VPN
• Delete ~/.ssh/known_hosts
• Start msfconsole
• use auxiliary/scanner/ssh/ssh_login
• set USERNAME test
• set PASSWORD test
• set RHOSTS 10.10.10.6
• exploit
• Verify that the ~/.ssh/known_hosts file was not created.
• Verify that the scan still occurred. This can be done via valid login credentials instead of invalid
• Document Documentation is not applicable to this change, I believe.

Tested via HackTheBox retired machine Popcorn using Kali distributed MSF.

ssh.rc:

use auxiliary/scanner/ssh/ssh_login
set USERNAME test
set PASSWORD test
set RHOSTS 10.10.10.6
exploit

Before:

~ $ rm ~/.ssh/known_hosts 
rm: remove regular file '/root/.ssh/known_hosts'? y
 ~ $ cat ~/.ssh/known_hosts 
cat: /root/.ssh/known_hosts: No such file or directory
 ~ $ msfconsole -r ssh.rc
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing ssh.rc for ERB directives.
resource (ssh.rc)> use auxiliary/scanner/ssh/ssh_login
resource (ssh.rc)> set USERNAME test
USERNAME => test
resource (ssh.rc)> set PASSWORD test
PASSWORD => test
resource (ssh.rc)> set RHOSTS 10.10.10.6
RHOSTS => 10.10.10.6
resource (ssh.rc)> exploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_login) > exit
 ~ $ cat .ssh/known_hosts 
10.10.10.6 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyBXr3xI9cjrxMH2+DB7lZ6ctfgrek3xenkLLv2vJhQQpQ2ZfBrvkXLsSjQHHwgEbNyNUL+M1OmPFaUPTKiPVP9co0DEzq0RAC+/T4shxnYmxtACC0hqRVQ1HpE4AVjSagfFAmqUvyvSdbGvOeX7WC00SZWPgavL6pVq0qdRm3H22zIVw/Ty9SKxXGmN0qOBq6Lqs2FG8A14fJS9F8GcN9Q7CVGuSIO+UUH53KDOI+vzZqrFbvfz5dwClD19ybduWo95sdUUq/ECtoZ3zuFb6ROI5JJGNWFb6NqfTxAM43+ffZfY28AjB1QntYkezb1Bs04k8FYxb5H7JwhWewoe8xQ==

After:

 ~ $ rm ~/.ssh/known_hosts 
rm: cannot remove '/root/.ssh/known_hosts': No such file or directory
 ~ $ cat ~/.ssh/known_hosts
cat: /root/.ssh/known_hosts: No such file or directory
 ~ $ msfconsole -r ssh.rc
                                                  

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                       https://metasploit.com |
|______________________________________________________________________________|


       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing ssh.rc for ERB directives.
resource (ssh.rc)> use auxiliary/scanner/ssh/ssh_login
resource (ssh.rc)> set USERNAME test
USERNAME => test
resource (ssh.rc)> set PASSWORD test
PASSWORD => test
resource (ssh.rc)> set RHOSTS 10.10.10.6
RHOSTS => 10.10.10.6
resource (ssh.rc)> exploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_login) > exit
 ~ $ cat ~/.ssh/known_hosts 
cat: /root/.ssh/known_hosts: No such file or directory
 ~ $ ls ~/.ssh
id_rsa  id_rsa.pub

[wvu]

As noted, this fixes just LoginScanner modules. I think this is a good start. Thank you!

[kkirsche]

Ah, I had completely forgot to look for other scanners this might be in. I can look and see for others that use SSH. Should this be disabled for every scanner module using SSH (and potentially most exploits?).

[h00die]

Didn't get a chance to test this, but does it address a key collision? I know it may prevent it in the scenario where you ONLY us msf, but what about this likely scenario:

1. ssh to a box to confirm creds work
2. change the key in known_hosts (simulating a change of networks, or other scenario where an IP will have SSH but a diff key)
3. use the ssh_login scanner. While it doesn't WRITE the key, i think it'll still fail since theres a key mismiatch

[kkirsche]

Assuming the entry is a valid key after the change, yes this works. If it is not a valid key (change a random letter), you'll get an error about the key not being on the curve.

 ~ $ rm ~/.ssh/known_hosts
rm: cannot remove '/root/.ssh/known_hosts': No such file or directory
 ~ $ ssh kkirsche@10.10.10.151
The authenticity of host '10.10.10.151 (10.10.10.151)' can't be established.
ECDSA key fingerprint is SHA256:bC3G5nM2vOAKvxGJZi7GtyHmNy9Q354FSJDx6uGSxis.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.151' (ECDSA) to the list of known hosts.
kkirsche@10.10.10.151's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-29-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

10 packages can be updated.
0 updates are security updates.

New release '18.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Aug 14 21:56:21 2018 from 10.10.10.152
 ~ $ exit
So long and thanks for all the fish.
  -- Douglas Adams
Connection to 10.10.10.151 closed.
 ~ $ cat .ssh/known_hosts
|1|SYDU3Dqk5e4s9Kb8HKAaFWUQ24s=|grP5GwG/yyhrqHQZQrCg6r+ET1Q= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIQKsjSTSzXqTSnvG9weXrz/a8zjOmlyOUqb3s0Gm9aFfvpTNgb7y2RTPsrCeEKjZCOPv62hAosaSilddsf/Tnc=
 ~ $ nvim .ssh/known_hosts
 ~ $ cat .ssh/known_hosts
|1|SYDU3Dqk5e4s9Kb8HKAaFWUQ24s=|grP5GwG/yyhrqHQZQrCg6r+ET1Q= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAU0/ZB8Dek86X81VOEGWzBGffKok2FegqPyquKkOucIgnJUFynPtayo4w9P/d5eQs0U9OJW1NLjcnN0QHyf0Oc=
 ~ $ msfconsole -r ssh.rc
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
           :kk;.OOOOOOOOOOOOO.;Ok:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing ssh.rc for ERB directives.
resource (ssh.rc)> use auxiliary/scanner/ssh/ssh_login
resource (ssh.rc)> set USERNAME kkirsche
USERNAME => kkirsche
resource (ssh.rc)> set PASSWORD EXAMPLE
PASSWORD => EXAMPLE
resource (ssh.rc)> set RHOSTS 10.10.10.151
RHOSTS => 10.10.10.151
resource (ssh.rc)> exploit
[+] 10.10.10.151:22 - Success: 'kkirsche:EXAMPLE' 'uid=1000(kkirsche) gid=1000(kkirsche) groups=1000(kkirsche),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux gh0st 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 10:19:08 UTC 2018 i686 i686 i686 GNU/Linux '
[*] Command shell session 1 opened (10.10.10.152:43509 -> 10.10.10.151:22) at 2018-08-14 22:02:22 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_login) > 

[kkirsche]

Removed host key checking on the auxiliary/scanner/ssh modules.

[wvu]

@kkirsche: When I posted #10266, I had been complaining about all SSH modules (exploits included) and the lack of consistency in the hash that's ultimately supplied to Net::SSH.start. I was definitely pointing a finger at the scanners, though!

[kkirsche]

Sounds good, would be easy enough to get this in all of them. I’ll add that then and let you know when those are in.

[wvu]

Is there a reason for changing the syntax here? I prefer the newer hash syntax if possible. All these keys are symbols, too.

[wvu]

That said, hashrockets are more consistent with varying key types. I won't complain too much - just asking why it's necessary to change syntax.

[kkirsche]

Consistency is the only reason. While I also prefer the new syntax, rocket formatted ones are what I’ve been asked for before when building exploit information hashes and was the style of the LoginScanner. As such, while I prefer the newer one, I think consistency is more important than minimal changes. I’m open though to other opinions if we want to use them, but stylistically I think the framework would benefit from a more defined code style guideline around hash structures

[wvu]

Agreed. I ask only because you're modifying my module. :-)

[wvu]

I think hashrockets will be the way to go if we publish our own style guide (and not just cargo-cult the Ruby style guide). We have such wildly varying hashes that it'd make sense to stick to one style.

[wvu]

Python is a little more predictable. :-)

[kkirsche]

Added all of the exploits that were within a ssh folder under the OS, wvu-r7. Will wait for the tests and fix anything out of line, but I don't expect anything unless there was a tabs / spaces issue

[kkirsche]

this was one hash that had a mix of the styles

[wvu]

Yeah, yuck. And they're still all symbol keys, so they COULD have used the newer syntax. Oh well. Hashrockets it is!

[kkirsche]

Looks like everything passed, so take a look when you have time (no rush) and let me know if there are any changes needed or things missing scope wise.

[wvu]

Awesome, will take a look!

[wvu]

60c0272

I ended up consolidating on the newer hash syntax for my modules, since I was using it already in the same code - just want to be consistent. I've also cleaned up whitespace around the hashrockets.

Tested and verified working. No more crap in my known_hosts. Initially I had wanted to disable just known_hosts and not key verification, but I can't think of any module that actually verifies the key.

This works great. Thanks!

[wvu]

Release Notes

This disables host key verification for SSH modules, preventing Metasploit from writing to the user's ~/.ssh/known_hosts file, especially when running a scanner module against a range of hosts.

[kkirsche]

Course and that’s fair. Potentially it’d make sense to have an issue to standardize certain coding conventions like that.

And the white space makes sense, I wasn’t sure which way to go on it. I ended up going with nvim’s first tab location after the word rather than aligning with the natural rocket location of the longest entry.

Appreciate the time reviewing this :)