New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Making SSH defaults widely used #16379
Conversation
Factory is provided by mixin; Removed the options that were the same as the defaults; Adjusted the exception to proper feedback the user. There was a return as incorrect when it was indeed unable to negotiate the key exchange.
- Merge ssh defaults - Remove options equals to default
Auxiliary failed: NameError undefined local variable or method `datastore' for #<Metasploit::Framework::LoginScanner::SSH
Rspec output
|
After land #16318, it'll be necessary to change the tests for the ssh login scanner, specifically adding metasploit-framework/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb Lines 140 to 150 in 60a9c8d
It should be something like that: opt_hash = {
:port => ssh_scanner.port,
:use_agent => false,
:config => false,
:verbose => ssh_scanner.verbosity,
:proxy => factory,
:append_all_supported_algorithms => true,
:auth_methods => ['password','keyboard-interactive'],
:password => private,
:non_interactive => true,
:verify_host_key => :never
} |
Neat, thank you |
This is a really solid start; we should move on with these changes, but we also need to start looking at other modules that might need this kind of change and list them out. |
This seems a good list to look at: $ git grep Net::SSH.start
lib/metasploit/framework/login_scanner/ssh.rb: self.ssh_socket = Net::SSH.start(
modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb: Net::SSH.start(ip, user, opts)
modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb: Net::SSH.start(ip, 'admin', ssh_opts)
modules/auxiliary/scanner/ssh/fortinet_backdoor.rb: Net::SSH.start(ip, 'Fortimanager_Access', ssh_opts)
modules/auxiliary/scanner/ssh/juniper_backdoor.rb: Net::SSH.start(
modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb: Net::SSH.start(ip, username, ssh_opts)
modules/auxiliary/scanner/ssh/ssh_enumusers.rb: Net::SSH.start(ip, user, opts)
modules/exploits/apple_ios/ssh/cydia_default_ssh.rb: ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/http/alienvault_exec.rb: Net::SSH.start(rhost, "root", opts)
modules/exploits/linux/http/cisco_firepower_useradd.rb: Net::SSH.start(rhost, 'admin',
modules/exploits/linux/http/cisco_firepower_useradd.rb: @ssh_socket = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/http/ubiquiti_airos_file_upload.rb: Net::SSH.start(rhost, username, ssh_opts)
modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb: ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/cisco_ucs_scpuser.rb: ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/exagrid_known_privkey.rb: ssh_socket = Net::SSH.start(rhost, 'root', ssh_options)
modules/exploits/linux/ssh/f5_bigip_known_privkey.rb: ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/ibm_drm_a3user.rb: Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb: ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/mercurial_ssh_exec.rb: ssh = Net::SSH.start(rhost, username, ssh_options)
modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb: ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb: ssh_socket = Net::SSH.start(rhost, user, opt_hash)
modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb: ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/solarwinds_lem_exec.rb: ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/linux/ssh/symantec_smg_ssh.rb: ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb: ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash)
modules/exploits/linux/ssh/vyos_restricted_shell_privesc.rb: ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/linux/ssh/vyos_restricted_shell_privesc.rb: ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/multi/ssh/sshexec.rb: self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
modules/exploits/solaris/ssh/pam_username_bof.rb: Net::SSH.start(rhost, '', ssh_client_opts)
modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb: ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
modules/exploits/unix/ssh/arista_tacplus_shell.rb: Net::SSH.start(rhost, username, opts)
modules/exploits/unix/ssh/arista_tacplus_shell.rb: ssh = Net::SSH.start(rhost, username, opts)
modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb: ssh = Net::SSH.start(rhost, user, opts)
modules/exploits/windows/ssh/sysax_ssh_username.rb: ssh = Net::SSH.start( |
Extra changes performedapache_karaf_command_executionThere was a before removed msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > run
[*] 127.0.0.1:2222 - Attempt to login...
[+] 127.0.0.1:2222 - Login Successful ('bob:Password1)'
[+] 127.0.0.1:2222 - Command successfully executed. Output: sh: shell:exec: not found after removed msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > set CMD whoami
CMD => whoami
msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > exploit
[*] 127.0.0.1:2222 - Attempt to login...
[+] 127.0.0.1:2222 - Login Successful ('bob:Password1)'
[+] 127.0.0.1:2222 - Command successfully executed. Output: bob
[*] 127.0.0.1:2222 - Loot stored at: apache.karaf.command
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/apache_karaf_command_execution) > |
@heyder Great work so far. Let me know if you'd like me help out making some of the changes in the above list. Would love to help, I just wouldn't want to duplicate effort. Cheers. |
Sure. Let's split what is missing by two. You can get from |
…-framework into fix/ssh_defaults_usage
Testing after changes looking good:
|
Release NotesRefactored a number of modules to use ssh_client_defaults |
This PR fix #16328 and depends on #16318 to add
append_all_supported_algorithms
totrue
thelib/msf/core/exploit/remote/ssh.rb
be landed.Enviorement
Tests
before
after proper exception handling
The previous implementation was misleading the user saying the authentication failed when it indeed didn't manage to settle the key exchange algorithm.
❗ All tests from here were performed using the same changes done by #16318 (defining the
append_all_supported_algorithms
totrue
)I didn't commit it again here to avoid conflicts during the merge.
after ssh defaults merge
test pivot
both modules after all changes