Jump to content

Metasploit: SSH error with IOS


cmd105

Recommended Posts

Hi guys,

I recently started learning more about ethical hacking and stumbled upon metasploit. It is a great tool but I am having an issue on a pen test, which is the following.

I am trying to exploit my IPad Air- IOS 8.1.1 Jailbroken and I am using the exploit "exploit/apple_ios/ssh/cydia_default_ssh". Also the OS I am running is Kali Linux.

I am able to setup the RHOST with my IP Address (192.168.1.2) and the default port 22. This data is confirmed and accurate as I did a nmap scan just before that showed me that the port 22 was open on that IP.

Everything seems fine until i try to run the exploit, what happens is this:

[*] 192.168.1.2:22 - Attempt to login as 'root' with password 'alpine'
[-] 192.168.1.2:22 SSH Error: Net::SSH::Exception : could not settle on kex algorithm [*] 192.168.1.2:22 - Attempt to login as 'mobile' with password 'dottie'
[-] 192.168.1.2:22 SSH Error: Net::SSH::Exception : could not settle on kex algorithm

I have left the root:alpine login as per default in my ipad. I had even changed the password in my Ipad's terminal and tried to login via Armitage with SSH Login and the updated credentials. Still, I am always getting the same error and not sure what is going on.

Can anyone help here?

Cheers

Link to comment
Share on other sites

Well, what's going on is that the 2 sides of the connection need to agree on the Key EXchange algorithm. To do that they both say what they support and then go for the strongest level crypto alg they share. The problem you have is that all the algorithms supported by the other side aren't supported by your side, meaning the connection cannot be established.

Why that is and how to fix it... You'll probably want to get a bit more low-level up-close and personal with the protocol. Let Wireshark listen in and see what's up.

Link to comment
Share on other sites

Thanks Cooper. I followed your suggestion and attempted the attack my IPad using armitage with Wireshark listening.

Screenshots are attached, so my machine is 192.168.1.5 and I am trying to attack my IPad 192.168.1.2.

As far as I can see, it seems that the OpenSSH versions are different on both my IPad and my Kali Linux (V6.7 vs V5.0) machine am I right?

I have checked on my Ipad and I have version 6.7 installed, regarding my Kali Linux machine, everything is updated and upgraded properly and it seems that v6.7 is also installed..any ideas?

post-50034-0-89946700-1425655988_thumb.p

post-50034-0-09646800-1425655990_thumb.p

Link to comment
Share on other sites

The error comes from this file, line 271 invoking 'negotiate' (293) and failing to find a match (297).

Way up on lines 27 and 28 you can find which key exchange algorithms Metasploit supports. They look reasonable enough. According to the documentation I can find ssh2 only supports diffie-hellman-group1-sha1 which is in that list for kex... Very strange indeed.

How current is your copy of Metasploit?

Link to comment
Share on other sites

Mh.. I have it updated to the latest, 4.11.1, also just ran a msfupdate to be sure.

Kali is also updated, upgraded and dist-upgraded to the max.

Do you think it is something with my configuration? I would expect that more people would have this problem but I scoured the internet and didn't find any nothing pertaining this exact issue.

Link to comment
Share on other sites

To be honest, I'm thinking yes. Looking at that chunk of code I don't see how it would fail against a bog-standard and potentially even relatively outdated ssh2 server on an ipad...

Link to comment
Share on other sites

I would also think that metasploit should not give this amount of trouble for such a simple exploit.

I installed this Kaly dist. very recently and only have the official repos on it so I am completely lost on why the issue is happening. I will keep on researching, thanks for your input.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...