i8igmac Posted November 24, 2017 Share Posted November 24, 2017 (edited) here is a example of logging into a keyboard-interactive login shell.rb this is a start of a brute force keyboard-interactive ssh require 'rubygems' require 'net/ssh' # 73.9.26.15 host=ARGV[0] user=ARGV[1] pass=ARGV[2] result='' host_execution=false Net::SSH.start(host, user, :password => pass) do |ssh| # Open a channel channel = ssh.open_channel do |channel, success| channel.request_pty channel.exec("help") channel.on_data do |channel, data| print data sleep 3 # Send the password if data.include?("login:") channel.send_data "#{user}\n" # print("#{user}") end if data.include?("password :") channel.send_data("#{pass}\n") print("#{pass}") end if host_execution==false if data.include?('rkscli:') host_execution=true puts channel.send_data("help\n") channel.wait end end if host_execution==true if data.include?('rkscli:') # puts channel.send_data(gets) channel.wait end end end end # Wait for opened channel channel.wait end Edited November 25, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
i8igmac Posted November 24, 2017 Author Share Posted November 24, 2017 (edited) i hope to place a if expression before SUCCESS happens. if response.data.includes?("Please login:") #then submit the current CREDS scanner.ssh_socket.send_data(creds.user+"\n") scanner.ssh_socket.send_data(creds.pass+"\n") end Here is the modules/auxiliary/scanner/ssh/ssh_login.rb ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/ssh' require 'net/ssh/command_stream' require 'metasploit/framework/login_scanner/ssh' require 'metasploit/framework/credential_collection' class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Report include Msf::Auxiliary::CommandShell include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'SSH Login Check Scanner', 'Description' => %q{ This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. }, 'Author' => ['todb'], 'References' => [ [ 'CVE', '1999-0502'] # Weak password ], 'License' => MSF_LICENSE, 'DefaultOptions' => {'VERBOSE' => false} # Disable annoying connect errors ) register_options( [ Opt::RPORT(22) ], self.class ) register_advanced_options( [ Opt::Proxies, OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end def rport datastore['RPORT'] end def session_setup(result, ssh_socket) return unless ssh_socket # Create a new session conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) merge_me = { 'USERPASS_FILE' => nil, 'USER_FILE' => nil, 'PASS_FILE' => nil, 'USERNAME' => result.credential.public, 'PASSWORD' => result.credential.private } info = "#{proto_from_fullname} #{result.credential} (#{@ip}:#{rport})" s = start_session(self, info, merge_me, false, conn.lsock) self.sockets.delete(ssh_socket.transport.socket) # Set the session platform case result.proof when /Linux/ s.platform = "linux" when /Darwin/ s.platform = "osx" when /SunOS/ s.platform = "solaris" when /BSD/ s.platform = "bsd" when /HP-UX/ s.platform = "hpux" when /AIX/ s.platform = "aix" when /Win32|Windows/ s.platform = "windows" when /Unknown command or computer name/ s.platform = "cisco-ios" end s end def run_host(ip) @ip = ip cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], pass_file: datastore['PASS_FILE'], password: datastore['PASSWORD'], user_file: datastore['USER_FILE'], userpass_file: datastore['USERPASS_FILE'], username: datastore['USERNAME'], user_as_pass: datastore['USER_AS_PASS'], ) cred_collection = prepend_db_passwords(cred_collection) scanner = Metasploit::Framework::LoginScanner::SSH.new( host: ip, port: rport, cred_details: cred_collection, proxies: datastore['Proxies'], stop_on_success: datastore['STOP_ON_SUCCESS'], bruteforce_speed: datastore['BRUTEFORCE_SPEED'], connection_timeout: datastore['SSH_TIMEOUT'], framework: framework, framework_module: self, ) scanner.verbosity = :debug if datastore['SSH_DEBUG'] scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( module_fullname: self.fullname, workspace_id: myworkspace_id ) case result.status when Metasploit::Model::Login::Status::SUCCESSFUL print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'" credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) session_setup(result, scanner.ssh_socket) :next_user when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}" scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed? invalidate_login(credential_data) :abort when Metasploit::Model::Login::Status::INCORRECT vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'" invalidate_login(credential_data) scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed? else invalidate_login(credential_data) scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed? end end end end Edited November 25, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
i8igmac Posted November 25, 2017 Author Share Posted November 25, 2017 My struggle is getting my hands on response data to check if 'Please login' exist if there are any metasploit gurus around here i could use some help... i can get close but only when i dig deep into the libs... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.