Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Loot Git SSH Keys #12422

Merged
merged 7 commits into from Dec 1, 2019
Merged

Loot Git SSH Keys #12422

merged 7 commits into from Dec 1, 2019

Conversation

@wdahlenburg
Copy link
Contributor

wdahlenburg commented Oct 8, 2019

This post exploitation module is used to test ssh keys on a compromised server for Git access. The primary use case is for testing access to GitHub, but similar solutions are feasible.

An SSH key can allow private repositories to be downloaded. This may contain sensitive information that may have been unavailable otherwise.

An SSH key can also be used to modify and upload code on behalf of the user. This could be used to insert a backdoor into existing code.

This module will attempt to utilize the existing private keys on a host and authenticate against some Git server (GitHub by default). If successful, it will store the private key as loot and print out the Git user that was accessed.

This module attempts to be respectful of existing .ssh/config files by backing them up and removing evidence of the temporary .ssh/config file. It also does not append the Git server to the .ssh/known_hosts file, so evidence of this module being run is limited.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Obtain a session on linux (root or user account)
  • use post/linux/gather/git_keys
  • set session 1
  • Set GITSERVER to github.mycompany.com if needed, else github.com is default
  • run
  • Verify a session on a user account will only test the user's ssh keys
  • Verify a session on a root account will test every user's ssh keys
@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Oct 8, 2019

hey @wdahlenburg it looks like we already have a post module for gathering ssh keys and storing them in loot (post/multi/gather/ssh_creds), wondering if it might make more sense to have this as an aux module that can use the keys stored in loot and try them against different git servers

@wdahlenburg

This comment has been minimized.

Copy link
Contributor Author

wdahlenburg commented Oct 8, 2019

@dwelch-r7 The purpose of this module is less about storing the ssh keys than determining further access with Git. This could definitely be taken out of the module. It was added for convenience of just pulling the working keys.

As for an aux module, that would definitely be doable. The one difference is that the outbound ssh connection would be routed through your machine versus the one with a session. After GitHub's initial public key verification, it doesn't seem to log what IP the SSH connection was made from.

What are your thoughts?

@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Oct 9, 2019

Well if it was changed to be an aux module you could always use the proxies option if the request needed to come from the targets machine for whatever reason

is there anyone else that has strong feelings one way or the other?

@acammack-r7

This comment has been minimized.

Copy link
Contributor

acammack-r7 commented Oct 9, 2019

This is nifty idea, though I agree that this should probably be part of another module. I think in an ideal world we could do this with our ssh_login aux module, but it currently doesn't use stored keys and it's a bit fiddly to get working through a session. If you or @dwelch-r7 want to take a stab at that it would be pretty cool. An easier lift that still reduces extra code would be to add a test like this post/multi/gather/ssh_creds.

@wdahlenburg

This comment has been minimized.

Copy link
Contributor Author

wdahlenburg commented Oct 10, 2019

I like the idea of an aux module better. Reusing stored keys has more portability across different operating systems than attempting to find the keys on just a linux host. I'll start working on this and add documentation.

I'll look into adding functionality of using stored keys with the ssh_login module, but that should be tracked separately.

@wdahlenburg wdahlenburg force-pushed the wdahlenburg:git_loot branch from 779dd2a to 0dd2ce9 Oct 24, 2019
modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb Outdated Show resolved Hide resolved
if output.include? 'successfully authenticated'
return output.split[1].delete_suffix('!')
elsif output.include? 'GitLab'
return output.split[3].delete_suffix('!')

This comment has been minimized.

Copy link
@bcoles

bcoles Oct 24, 2019

Contributor

output.split[3] may raise.

This comment has been minimized.

Copy link
@wdahlenburg

wdahlenburg Oct 24, 2019

Author Contributor

Would matching with regex be a better way to parse this?

This comment has been minimized.

Copy link
@wdahlenburg

wdahlenburg Oct 25, 2019

Author Contributor

Switched to regex in d12fce6

modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb Outdated Show resolved Hide resolved
return keys
end

def provide_user(output)

This comment has been minimized.

Copy link
@bcoles

bcoles Oct 24, 2019

Contributor

provide_user is not an intuitive method name.

This comment has been minimized.

Copy link
@wdahlenburg

wdahlenburg Oct 24, 2019

Author Contributor

Thoughts on parse_user ?

This comment has been minimized.

Copy link
@bcoles

bcoles Oct 24, 2019

Contributor

Later on, you reject all keys when no user is present with unless user.empty?. The only place that the user is populated is in this method. This implies that this method might do more than extract/parse the username - it is also solely responsible for determining whether authentication was successful.

This comment has been minimized.

Copy link
@wdahlenburg

wdahlenburg Oct 25, 2019

Author Contributor

This was switched to parse_user and the unless statement was removed from the table. Entries will only be added if the username is found and matches the regex per supported git server.

@bcoles bcoles added docs and removed needs-docs labels Oct 24, 2019
@wdahlenburg

This comment has been minimized.

Copy link
Contributor Author

wdahlenburg commented Nov 5, 2019

@bcoles @dwelch-r7 @acammack-r7 Do you have any more feedback or reviews?

[
OptPath.new('KEY_FILE', [false, 'Filename of a private key.', nil]),
OptPath.new('KEY_DIR', [false, 'Directory of several keys. Filenames will be recursivley found matching id_* (Ex: /home/user/.ssh)', nil]),
OptString.new('GITSERVER', [false, 'Optional parameter to specify alternate Git Server (GitHub, GitLab, etc)', 'github.com'])

This comment has been minimized.

Copy link
@dwelch-r7

dwelch-r7 Nov 26, 2019

Contributor

This probably makes more sense as a mandatory option with the default of github (which you already have done) but some sort of git server should be specified

This comment has been minimized.

Copy link
@wdahlenburg

wdahlenburg Nov 27, 2019

Author Contributor

02bb97f should address this

dwelch-r7 added a commit that referenced this pull request Dec 1, 2019
@dwelch-r7 dwelch-r7 merged commit 02bb97f into rapid7:master Dec 1, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Dec 1, 2019
@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Dec 1, 2019

Release Notes

The git_keys module attempts to authenticate with Git servers using provided SSH keys. If ir is successful, it will identify the user that the ssh key belongs to.

@tdoan-r7 tdoan-r7 added the rn-modules label Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.