Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ssh login pubkey module to correctly identify windows ssh platform #18547

Merged
merged 1 commit into from Nov 22, 2023
Merged

Update ssh login pubkey module to correctly identify windows ssh platform #18547

merged 1 commit into from Nov 22, 2023

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Nov 17, 2023
edited

Update ssh login pubkey module to correctly identify windows ssh platform

After fixing this, I still had some issues with the target here - #18547

Before

No identification

msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > run

[*] 54.215.236.141:22 SSH - Testing Cleartext Keys
[+] 54.215.236.141:22 - Success: 'vagrant:-----BEGIN RSA PRIVATE KEY-----.... etc...' 'uid=197616(vagrant) gid=197121(None) groups=197121(None),11(Authenticated Users),66048(LOCAL),66049(CONSOLE LOGON),4(INTERACTIVE),15(This Organization),545(Users),4095(CurrentSession),544(Administrators),559(Performance Log Users),405504(High Mandatory Level) MSYS_NT-10.0-17763 EC2AMAZ-PDSMQ8L 3.4.9.x86_64 2023-09-15 12:15 UTC x86_64 Msys '
...
[-] x.x.x.x:22 - While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with 'set gatherproof false'.  Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future

After

Identified as windows

Verification

  • Verify unit tests pass

@jvoisin
Copy link
Contributor

jvoisin commented Nov 18, 2023

Shouldn't recog be used instead?

@h00die
Copy link
Contributor

h00die commented Nov 18, 2023

Interesting concept. It would need to be expanded to include a service.platform field, but that seems minor

@adfoster-r7
Copy link
Contributor Author

adfoster-r7 commented Nov 20, 2023
edited

Shouldn't recog be used instead?

Will answer the question in two parts;

Shouldn't recog be used instead?

I was contemplating if this belonged in Recog, but decided the overhead wasn't worth it. However, the RSpec pattern I'm introducing could allow us to migrate the strings to Recog in the future without a lot of effort

Shouldn't https://github.com/rapid7/recog/blob/main/xml/ssh_banners.xml be used instead?

For this particular codepath that I'm fixing - we can't use that file, as this PR is updating the fingerprinting for the id command output - not the remote SSH banner output

@smcintyre-r7
Copy link
Contributor

Well the verification says to make sure the unit tests pass which they do. I tested this with OpenSSH installed natively in Windows as well as with Cygwin. In both cases, the existing fingerprints were matching and I didn't notice an issue in the version currently in the master branch.

I'll go ahead and merge this because the fingerprint change seems reasonable.

In the following output, port 22 is the native OpenSSH server and port 2222 is installed via Cygin.

msf6 auxiliary(scanner/ssh/ssh_login) > run RPORT=22

[*] 192.168.159.10:22 - Starting bruteforce
[+] 192.168.159.10:22 - Success: 'smcintyre:Password1!' 'Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763'
[*] SSH session 1 opened (192.168.159.128:35353 -> 192.168.159.10:22) at 2023-11-22 17:04:57 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > run RPORT=2222

[*] 192.168.159.10:2222 - Starting bruteforce
[+] 192.168.159.10:2222 - Success: 'smcintyre:Password1!' 'uid=1049576(smcintyre) gid=1049089(Domain Users) groups=1049089(Domain Users),544(Administrators),545(Users),554(Pre-Windows 2000 Compatible Access),574(Certificate Service DCOM Access),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated Users),15(This Organization),4095(CurrentSession),1049088(Domain Admins),1049095(Enterprise Admins),1049094(Schema Admins),1050179(Organization Management),70145(Authentication authority asserted identity),1049148(Denied RODC Password Replication Group),405504(High Mandatory Level) CYGWIN_NT-10.0-17763 DC 3.4.9-1.x86_64 2023-09-06 11:19 UTC x86_64 Cygwin '
[*] SSH session 2 opened (192.168.159.128:36605 -> 192.168.159.10:2222) at 2023-11-22 17:05:02 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type           Information      Connection
  --  ----  ----           -----------      ----------
  1         shell windows  SSH smcintyre @  192.168.159.128:35353 -> 192.168.159.10:22 (192.168.159.10)
  2         shell windows  SSH smcintyre @  192.168.159.128:36605 -> 192.168.159.10:2222 (192.168.159.10)

msf6 auxiliary(scanner/ssh/ssh_login) >

@smcintyre-r7 smcintyre-r7 added library bug rn-fix release notes fix labels Nov 22, 2023
@smcintyre-r7 smcintyre-r7 self-assigned this Nov 22, 2023
@smcintyre-r7 smcintyre-r7 merged commit 4321aaf into rapid7:master Nov 22, 2023
37 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die Awaiting requested review from h00die

Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug library rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@adfoster-r7 @jvoisin @h00die @smcintyre-r7