Inicio Explorar Axuda
Iniciar sesión
epsylon
/
fuzzssh
Seguir 1
Destacar 0
Fork 0
Ficheiros Pull Requests 0
Explorar o código

minor fixes

psy %!s(int64=3) %!d(string=hai) anos
pai
43394476c2
achega
6e2f0c382c
Modificáronse 2 ficheiros con 93 adicións e 42 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 4 1
      README.md
  2. 89 41
      fuzzssh.py

+ 4 - 1
README.md
Ver ficheiro 

@@ -33,7 +33,8 @@
 
 
  To make donations use the following hash:
 
   
-     - Bitcoin: 19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
 
+     - [BTC]: 19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
 
+     - [ECO]: ETsRCBzaMawx3isvb5svX7tAukLdUFHKze
 
 
 ----------
 
 
@@ -43,3 +44,5 @@
 
 
 ![c](https://03c8.net/images/fuzzssh_poc2.png)
 
 
+![c](https://03c8.net/images/fuzzssh_poc3.png)
 
+

+ 89 - 41
fuzzssh.py
Ver ficheiro 

@@ -63,53 +63,98 @@ def payloading():
 
     num_payloads_bugs = len(payloads_bugs)
 
     return payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs
 
 
-def send_payload(client, payload, parameter, verbosity, num_payloads, method):
 
-    try: # FUZZED PARAMETERS
 
-        if parameter == "USERNAME":
 
+def send_payload(client, payload, parameter, verbosity, num_payloads, method): # FUZZED PARAMETERS
 
+    if parameter == "USERNAME":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=payload, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "PASSWORD":
 
+            client.close() # close SSH client
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "PASSWORD":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=payload, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "PKEY":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "PKEY":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=payload, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "KEY_FILENAME":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "KEY_FILENAME":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=payload, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "TIMEOUT":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "TIMEOUT":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=payload, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "ALLOW_AGENT":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "ALLOW_AGENT":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=payload, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "LOOK_FOR_KEYS":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "LOOK_FOR_KEYS":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=payload, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "COMPRESS":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "COMPRESS":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=payload, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "SOCK":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "SOCK":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=payload, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "GSS_AUTH":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "GSS_AUTH":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=payload, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "GSS_KEX":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "GSS_KEX":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=payload, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "GSS_DELEG_CREDS":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "GSS_DELEG_CREDS":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=payload, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "GSS_HOST":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "GSS_HOST":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=payload, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "BANNER_TIMEOUT":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "BANNER_TIMEOUT":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=payload, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "AUTH_TIMEOUT":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "AUTH_TIMEOUT":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=payload, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "GSS_TRUST_DNS":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "GSS_TRUST_DNS":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=payload, passphrase=None, disabled_algorithms=None)
 
-        elif parameter == "PASSPHRASE":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "PASSPHRASE":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=payload, disabled_algorithms=None)
 
-        elif parameter == "DISABLED_ALGORITHMS":
 
+        except:
 
+            pass # keep testing
 
+    elif parameter == "DISABLED_ALGORITHMS":
 
+        try:
 
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=payload)
 
-    except paramiko.SSHException as e: # https://docs.paramiko.org/en/stable/api/ssh_exception.html
 
-        exception = str(e)
 
-        if not os.path.exists('exceptions.log'):
 
-            os.mknod('exceptions.log')
 
-        if not exception in open('exceptions.log').read():
 
-            f = open("exceptions.log", "a")
 
-            f.write("Exception error: %s\n\n" % exception)
 
-            f.close()
 
-    client.close() # close SSH client
 
+        except:
 
+            pass # keep testing
 
 
 def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs):
 
     try:
 
@@ -117,9 +162,9 @@ def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_nu
 
         client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 
         client.load_system_host_keys()
 
         paramiko.util.log_to_file("/dev/null", level="INFO") # logs + bypass -> paramiko.SSHException issue (https://github.com/paramiko/paramiko/issues/1752)
 
-        print("[Info] Trying SSH [NORMAL] connection...\n")
 
+        print("[Info] Trying SSH connection...\n")
 
         client.connect(hostname=str(target),port=int(port),username=str(user),password=str(pw),timeout=10,banner_timeout=200,look_for_keys=False,allow_agent=False)
 
-        print("\n[Info] [NORMAL] Connection established -> OK!")
 
+        print("[Info] Connection established -> OK!")
 
         if verbosity is True:
 
             b = client.get_transport().remote_version
 
             print ("\n  -> [*] Banner:")
 
@@ -131,11 +176,12 @@ def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_nu
 
             print ("\n  -> [*] Key exchange algorithms:")
 
             for k in so.kex:
 
                 print("      -> "+str(k))
 
-        print("\n[Info] [NORMAL] Connection closed -> OK!")
 
+            print("\n[Info] Connection closed -> OK!")
 
         print("\n"+"="*50)
 
     except:
 
         print("="*50)
 
-        print ("\n[Error] [NORMAL] Connection failed! -> [PASSING!]")
 
+        print ("\n[Error] Connection failed! -> [ABORTING!]\n")
 
+        sys.exit()
 
     client.close() # close SSH client
 
     print("\n -> [*] Starting to test SSH (protocol)...")
 
     parameters = ("USERNAME", "PASSWORD", "PKEY", "KEY_FILENAME", "TIMEOUT", "ALLOW_AGENT", "LOOK_FOR_KEYS", "COMPRESS", "SOCK", "GSS_AUTH", "GSS_KEX", "GSS_DELEG_CREDS", "GSS_HOST", "BANNER_TIMEOUT", "AUTH_TIMEOUT", "GSS_TRUST_DNS", "PASSPHRASE", "DISABLED_ALGORITHMS") # FUZZED PARAMETERS
 
@@ -171,24 +217,26 @@ def set_target():
 
     target = input("\n  + Enter TARGET (ex: '100.0.0.1'): ")
 
     if target == "": # exit when no 'target' set
 
         print("\n"+"="*50)
 
-        print("\n[Error] Not ANY target detected... Exiting!\n")
 
+        print("\n[Error] Not ANY target detected -> [EXITING!]\n")
 
         sys.exit()
 
-    port = input("\n  + Enter PORT (ex: '22'): ")
 
+    port = input("\n  + Enter PORT (default: '22'): ")
 
     try: # check port as integer num
 
         port = int(port)
 
     except:
 
         port = 22
 
     if port == "": # default when no 'port' set
 
         port = 22
 
-    user = input("\n  + Enter USER (ex: 'root'): ")
 
+    user = input("\n  + Enter USER (default: 'root'): ")
 
     if user == "": # default when no 'user' set
 
         user = "root"
 
-    pw = input("\n  + Enter PASSWORD (ex: '12345'): ")
 
-    verbosity = input("\n  + Enter VERBOSITY (ex: 'true'): ")
 
-    if verbosity == "True" or verbosity == "true": # default when no 'verbosity' set
 
+    pw = input("\n  + Enter PASSWORD (default: 'root'): ")
 
+    if pw == "": # default when no 'password' set
 
+        ps = "root"
 
+    verbosity = input("\n  + Enter VERBOSITY (default: 'false'): ")
 
+    if verbosity == "True" or verbosity == "true":
 
         verbosity = True
 
     else:
 
-        verbosity = False
 
+        verbosity = False # default when no 'verbosity' set
 
     return target, port, user, pw, verbosity
 
 
 def print_banner():
 
@@ -198,7 +246,7 @@ def print_banner():
 
     print("| |_ | | | | / /  / // __/ __| |_| |")
 
     print("|  _|| |_| |/ /_ / /_\__ \__ \  _  |")
 
     print("|_|   \__,_/____/____|___/___/_| |_| by psy")
 
-    print('\n"Simple SSH Protocol Fuzzing Tool"')
 
+    print('\n"SSH -Protocol- Fuzzing Tool"')
 
     print("\n"+"-"*15+"\n")
 
     print(" * VERSION: ")
 
     print("   + "+VERSION+" - (rev:"+RELEASE+")")