Class: Metasploit::Framework::LoginScanner::SSH

Inherits:
Object
  • Object
show all
Includes:
Base
Defined in:
lib/metasploit/framework/login_scanner/ssh.rb

Overview

This is the LoginScanner class for dealing with the Secure Shell protocol. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results.

Constant Summary collapse

CAN_GET_SESSION =

CONSTANTS

true
DEFAULT_PORT =
22
LIKELY_PORTS =
[ DEFAULT_PORT ]
LIKELY_SERVICE_NAMES =
[ 'ssh' ]
PRIVATE_TYPES =
[ :password, :ssh_key ]
REALM_KEY =
nil
VERBOSITIES =
[
    :debug,
    :info,
    :warn,
    :error,
    :fatal
]

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#skip_gather_proofBoolean

Returns Whether to skip calling gather_proof.

Returns:

  • (Boolean)

    Whether to skip calling gather_proof


44
45
46
# File 'lib/metasploit/framework/login_scanner/ssh.rb', line 44

def skip_gather_proof
  @skip_gather_proof
end

#ssh_socketNet::SSH::Connection::Session

Returns The current SSH connection.

Returns:

  • (Net::SSH::Connection::Session)

    The current SSH connection


36
37
38
# File 'lib/metasploit/framework/login_scanner/ssh.rb', line 36

def ssh_socket
  @ssh_socket
end

#verbositySymbol

The verbosity level for the SSH client.

Returns:


41
42
43
# File 'lib/metasploit/framework/login_scanner/ssh.rb', line 41

def verbosity
  @verbosity
end

Instance Method Details

#attempt_login(credential) ⇒ Object

Note:

The caller must close #ssh_socket


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/metasploit/framework/login_scanner/ssh.rb', line 52

def (credential)
  self.ssh_socket = nil
  factory = Rex::Socket::SSHFactory.new(framework,framework_module, proxies)
  opt_hash = {
    :port            => port,
    :use_agent       => false,
    :config          => false,
    :verbose         => verbosity,
    :proxy           => factory,
    :non_interactive => true,
    :verify_host_key => :never
  }
  case credential.private_type
  when :password, nil
    opt_hash.update(
      :auth_methods  => ['password','keyboard-interactive'],
      :password      => credential.private,
    )
  when :ssh_key
    opt_hash.update(
      :auth_methods  => ['publickey'],
      :key_data      => credential.private,
    )
  end

  result_options = {
    credential: credential
  }
  begin
    ::Timeout.timeout(connection_timeout) do
      self.ssh_socket = Net::SSH.start(
        host,
        credential.public,
        opt_hash
      )
    end
  rescue OpenSSL::Cipher::CipherError, ::EOFError, Net::SSH::Disconnect, Rex::ConnectionError, ::Timeout::Error => e
    result_options.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  rescue Net::SSH::Exception
    result_options.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: e)
  end

  unless result_options.has_key? :status
    if ssh_socket
      proof = gather_proof unless skip_gather_proof
      result_options.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: proof)
    else
      result_options.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: nil)
    end
  end

  result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
  result.host         = host
  result.port         = port
  result.protocol     = 'tcp'
  result.service_name = 'ssh'
  result
end

#get_platform(proof) ⇒ Object


195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
# File 'lib/metasploit/framework/login_scanner/ssh.rb', line 195

def get_platform(proof)
  case proof
  when /unifi\.version|UniFiSecurityGateway/ #Ubiquiti Unifi.  uname -a is left in, so we got to pull before Linux
    'unifi'
  when /Linux/
    'linux'
  when /Darwin/
    'osx'
  when /SunOS/
    'solaris'
  when /BSD/
    'bsd'
  when /HP-UX/
    'hpux'
  when /AIX/
    'aix'
  when /Win32|Windows|Microsoft/
    'windows'
  when /Unknown command or computer name|Line has invalid autocommand/
    'cisco-ios'
  when /unknown keyword/ # ScreenOS
    'juniper'
  when /JUNOS Base OS/ # JunOS
    'juniper'
  when /MikroTik/
    'mikrotik'
  when /Arista/
    'arista'
  else
    'unknown'
  end
end