Metasploit-framework: ssh_login scanner not honoring PASSWORD_SPRAY = true

Created on 25 Jun 2019  路  2Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

How'd you do it?

  1. Establish meterpreter shell on victim1 for pivoting to victim2
  2. Create route in Metasploit to route victim2 traffic through victim1
    2.5 use auxiliary/scanner/ssh/ssh_login
  3. Set appropriate password/user files and rhosts properties
  4. set Verbose true
  5. set PASSWORD_SPRAY true
  6. set CreateSession false
  7. set TRANSITION_DELAY 9
  8. run

Expected behavior

Expected Output:

[-] 192.168.52.20:22 - Failed: 'User1:password1'
[-] 192.168.52.20:22 - Failed: 'User2:password1'
[-] 192.168.52.20:22 - Failed: 'User3:password1'
[-] 192.168.52.20:22 - Failed: 'User4:password1'
[-] 192.168.52.20:22 - Failed: 'User5:password1'

Current behavior

Actual Output (brief):

[-] 192.168.52.20:22 - Failed: 'User1:password1'
[-] 192.168.52.20:22 - Failed: 'User1:password2'
[-] 192.168.52.20:22 - Failed: 'User1:password3'
[-] 192.168.52.20:22 - Failed: 'User1:password4'
[-] 192.168.52.20:22 - Failed: 'User1:password5'

Actual Output (long):

msf5 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                   Connection
  --  ----  ----                   -----------                                                   ----------
  1         meterpreter x64/linux  uid=1096, gid=100, euid=1096, egid=100 @ host  192.168.34.53:22 -> 192.168.35.105:37852 (192.168.35.105)

msf5 auxiliary(scanner/ssh/ssh_login) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.52.0        255.255.255.0      Session 1

[*] There are currently no IPv6 routes defined.
msf5 auxiliary(scanner/ssh/ssh_login) > options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting                               Required  Description
   ----              ---------------                               --------  -----------
   BLANK_PASSWORDS   false                                         no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                             yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                         no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                         no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                         no        Add all users in the current database to the list
   PASSWORD                                                        no        A specific password to authenticate with
   PASS_FILE         /root/loot/passwords.txt                      no        File containing passwords, one per line
   RHOSTS            192.168.52.20                                  yes       The target address range or CIDR identifier
   RPORT             22                                            yes       The target port
   STOP_ON_SUCCESS   false                                         yes       Stop guessing when a credential works for a host
   THREADS           1                                             yes       The number of concurrent threads
   USERNAME                                                        no        A specific username to authenticate as
   USERPASS_FILE                                                   no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true                                          no        Try the username as the password for all users
   USER_FILE         /root/loot/users.txt                          no        File containing usernames, one per line
   VERBOSE           true                                          yes       Whether to print output for all attempts

msf5 auxiliary(scanner/ssh/ssh_login) > advanced

Module advanced options (auxiliary/scanner/ssh/ssh_login):

   Name                        Current Setting                          Required  Description
   ----                        ---------------                          --------  -----------
   AutoRunScript                                                        no        A script to run automatically on session creation.
   CommandShellCleanupCommand                                           no        A command to run before the session is closed
   CreateSession               false                                    no        Create a new session for every successful login
   InitialAutoRunScript                                                 no        An initial script to run on session creation (before AutoRunScript)
   MaxGuessesPerService        0                                        no        Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
   MaxGuessesPerUser           0                                        no         Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
   MaxMinutesPerService        0                                        no        Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
   PASSWORD_SPRAY              true                                     yes       Reverse the credential pairing order. For each password, attempt every possible user.
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   REMOVE_PASS_FILE            false                                    yes       Automatically delete the PASS_FILE on module completion
   REMOVE_USERPASS_FILE        false                                    yes       Automatically delete the USERPASS_FILE on module completion
   REMOVE_USER_FILE            false                                    yes       Automatically delete the USER_FILE on module completion
   SSH_DEBUG                   false                                    no        Enable SSH debugging output (Extreme verbosity!)
   SSH_IDENT                   SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3  yes       SSH client identification string
   SSH_TIMEOUT                 30                                       no        Specify the maximum time to negotiate a SSH session
   ShowProgress                true                                     yes       Display progress messages during a scan
   ShowProgressPercent         10                                       yes       The interval in percent that progress should be shown
   TRANSITION_DELAY            9                                        no        Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
   WORKSPACE       

msf5 auxiliary(scanner/ssh/ssh_login) > run -j
[*] Auxiliary module running as background job 2.
msf5 auxiliary(scanner/ssh/ssh_login) > 
[-] 192.168.52.20:22 - Could not connect: execution expired
[-] 192.168.52.20:22 - Failed: 'ASxxxxxx:password1'
[-] 192.168.52.20:22 - Failed: 'ASxxxxxx:password2'
[-] 192.168.52.20:22 - Failed: 'ASxxxxxx:password3'
[-] 192.168.52.20:22 - Failed: 'ASxxxxxx:password4'
[-] 192.168.52.20:22 - Failed: 'ASxxxxxx:password5'
[-] 192.168.52.20:22 - Failed: 'ASxxxxxx:password6'

System stuff

Metasploit version

msf5 auxiliary(scanner/ssh/ssh_login) > version
Framework: 5.0.30-dev
Console  : 5.0.30-dev

I installed Metasploit with:

  • [X] Kali package via apt

OS

What OS are you running Metasploit on?

root@kali:~# uname -a
Linux kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-5kali1 (2019-06-20) x86_64 GNU/Linux
bug
Source
picture day1player

Most helpful comment

The problem is that the PASSWORD_SPRAY option is implemented in to a method that the scanner/ssh/ssh_login does not use, so that module doesn't actually support the option. This is definitely confusing as we shouldn't display the option as being available for modules that do not support it.

For a little more context (and to save some notes):

The PASSWORD_SPRAY option is included with the auth_brute.rb module. Any module that includes that will display the list of options included within that. The PASSWORD_SPRAY option is only utilized in the each_user_pass method, so you can really only utilize it if the scanner module uses that method to iterate through the credential list.

The scanner/ssh/ssh_login module includes the AuthBrute module, but actually runs its scan logic using the LoginScanner.scan! method. The option shows up as available because AuthBrute is included, but the scanner/ssh/ssh_login module doesn't use that logic to run the scan so it would actually never be honored.

This is all because there was a fundamental shift in how login scanners should be written a little while back. About half of the scanner modules use the old way AuthBrute while the other half use the LoginScanner code. We need to consolidate all of the login code into one place and update the modules using the old method to use the LoginScanner code. This is no small undertaking, however.

I ran a test for this specific module where I removed the include of Msf::Auxiliary::AuthBrute from the scanner/ssh/ssh_login module and attempted to run the module to see if it would work. The idea was that if that module isn't actually being used I could remove the include so the PASSWORD_SPRAY option wouldn't incorrectly be displayed. It turns out it is still using one method, prepend_db_passwords, from AuthBrute so execution fails.

picture jbarnett-r7 on 25 Jun 2019
👍2

All 2 comments

The problem is that the PASSWORD_SPRAY option is implemented in to a method that the scanner/ssh/ssh_login does not use, so that module doesn't actually support the option. This is definitely confusing as we shouldn't display the option as being available for modules that do not support it.

For a little more context (and to save some notes):

The PASSWORD_SPRAY option is included with the auth_brute.rb module. Any module that includes that will display the list of options included within that. The PASSWORD_SPRAY option is only utilized in the each_user_pass method, so you can really only utilize it if the scanner module uses that method to iterate through the credential list.

The scanner/ssh/ssh_login module includes the AuthBrute module, but actually runs its scan logic using the LoginScanner.scan! method. The option shows up as available because AuthBrute is included, but the scanner/ssh/ssh_login module doesn't use that logic to run the scan so it would actually never be honored.

This is all because there was a fundamental shift in how login scanners should be written a little while back. About half of the scanner modules use the old way AuthBrute while the other half use the LoginScanner code. We need to consolidate all of the login code into one place and update the modules using the old method to use the LoginScanner code. This is no small undertaking, however.

I ran a test for this specific module where I removed the include of Msf::Auxiliary::AuthBrute from the scanner/ssh/ssh_login module and attempted to run the module to see if it would work. The idea was that if that module isn't actually being used I could remove the include so the PASSWORD_SPRAY option wouldn't incorrectly be displayed. It turns out it is still using one method, prepend_db_passwords, from AuthBrute so execution fails.

jbarnett-r7 picture jbarnett-r7 on 25 Jun 2019
👍2

9634

wvu-r7 picture wvu-r7 on 26 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

idetest41 picture idetest41  路  3Comments
handsomebeast picture handsomebeast  路  3Comments
Funeoz picture Funeoz  路  3Comments
XSecr3t picture XSecr3t  路  3Comments
notdodo picture notdodo  路  3Comments