|
@@ -63,53 +63,98 @@ def payloading():
|
|
|
num_payloads_bugs = len(payloads_bugs)
|
|
|
return payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs
|
|
|
|
|
|
-def send_payload(client, payload, parameter, verbosity, num_payloads, method):
|
|
|
- try: # FUZZED PARAMETERS
|
|
|
- if parameter == "USERNAME":
|
|
|
+def send_payload(client, payload, parameter, verbosity, num_payloads, method): # FUZZED PARAMETERS
|
|
|
+ if parameter == "USERNAME":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=payload, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "PASSWORD":
|
|
|
+ client.close() # close SSH client
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "PASSWORD":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=payload, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "PKEY":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "PKEY":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=payload, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "KEY_FILENAME":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "KEY_FILENAME":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=payload, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "TIMEOUT":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "TIMEOUT":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=payload, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "ALLOW_AGENT":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "ALLOW_AGENT":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=payload, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "LOOK_FOR_KEYS":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "LOOK_FOR_KEYS":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=payload, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "COMPRESS":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "COMPRESS":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=payload, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "SOCK":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "SOCK":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=payload, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "GSS_AUTH":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "GSS_AUTH":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=payload, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "GSS_KEX":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "GSS_KEX":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=payload, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "GSS_DELEG_CREDS":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "GSS_DELEG_CREDS":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=payload, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "GSS_HOST":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "GSS_HOST":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=payload, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "BANNER_TIMEOUT":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "BANNER_TIMEOUT":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=payload, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "AUTH_TIMEOUT":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "AUTH_TIMEOUT":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=payload, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "GSS_TRUST_DNS":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "GSS_TRUST_DNS":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=payload, passphrase=None, disabled_algorithms=None)
|
|
|
- elif parameter == "PASSPHRASE":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "PASSPHRASE":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=payload, disabled_algorithms=None)
|
|
|
- elif parameter == "DISABLED_ALGORITHMS":
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
+ elif parameter == "DISABLED_ALGORITHMS":
|
|
|
+ try:
|
|
|
client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=payload)
|
|
|
- except paramiko.SSHException as e: # https://docs.paramiko.org/en/stable/api/ssh_exception.html
|
|
|
- exception = str(e)
|
|
|
- if not os.path.exists('exceptions.log'):
|
|
|
- os.mknod('exceptions.log')
|
|
|
- if not exception in open('exceptions.log').read():
|
|
|
- f = open("exceptions.log", "a")
|
|
|
- f.write("Exception error: %s\n\n" % exception)
|
|
|
- f.close()
|
|
|
- client.close() # close SSH client
|
|
|
+ except:
|
|
|
+ pass # keep testing
|
|
|
|
|
|
def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs):
|
|
|
try:
|
|
@@ -117,9 +162,9 @@ def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_nu
|
|
|
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
|
client.load_system_host_keys()
|
|
|
paramiko.util.log_to_file("/dev/null", level="INFO") # logs + bypass -> paramiko.SSHException issue (https://github.com/paramiko/paramiko/issues/1752)
|
|
|
- print("[Info] Trying SSH [NORMAL] connection...\n")
|
|
|
+ print("[Info] Trying SSH connection...\n")
|
|
|
client.connect(hostname=str(target),port=int(port),username=str(user),password=str(pw),timeout=10,banner_timeout=200,look_for_keys=False,allow_agent=False)
|
|
|
- print("\n[Info] [NORMAL] Connection established -> OK!")
|
|
|
+ print("[Info] Connection established -> OK!")
|
|
|
if verbosity is True:
|
|
|
b = client.get_transport().remote_version
|
|
|
print ("\n -> [*] Banner:")
|
|
@@ -131,11 +176,12 @@ def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_nu
|
|
|
print ("\n -> [*] Key exchange algorithms:")
|
|
|
for k in so.kex:
|
|
|
print(" -> "+str(k))
|
|
|
- print("\n[Info] [NORMAL] Connection closed -> OK!")
|
|
|
+ print("\n[Info] Connection closed -> OK!")
|
|
|
print("\n"+"="*50)
|
|
|
except:
|
|
|
print("="*50)
|
|
|
- print ("\n[Error] [NORMAL] Connection failed! -> [PASSING!]")
|
|
|
+ print ("\n[Error] Connection failed! -> [ABORTING!]\n")
|
|
|
+ sys.exit()
|
|
|
client.close() # close SSH client
|
|
|
print("\n -> [*] Starting to test SSH (protocol)...")
|
|
|
parameters = ("USERNAME", "PASSWORD", "PKEY", "KEY_FILENAME", "TIMEOUT", "ALLOW_AGENT", "LOOK_FOR_KEYS", "COMPRESS", "SOCK", "GSS_AUTH", "GSS_KEX", "GSS_DELEG_CREDS", "GSS_HOST", "BANNER_TIMEOUT", "AUTH_TIMEOUT", "GSS_TRUST_DNS", "PASSPHRASE", "DISABLED_ALGORITHMS") # FUZZED PARAMETERS
|
|
@@ -171,24 +217,26 @@ def set_target():
|
|
|
target = input("\n + Enter TARGET (ex: '100.0.0.1'): ")
|
|
|
if target == "": # exit when no 'target' set
|
|
|
print("\n"+"="*50)
|
|
|
- print("\n[Error] Not ANY target detected... Exiting!\n")
|
|
|
+ print("\n[Error] Not ANY target detected -> [EXITING!]\n")
|
|
|
sys.exit()
|
|
|
- port = input("\n + Enter PORT (ex: '22'): ")
|
|
|
+ port = input("\n + Enter PORT (default: '22'): ")
|
|
|
try: # check port as integer num
|
|
|
port = int(port)
|
|
|
except:
|
|
|
port = 22
|
|
|
if port == "": # default when no 'port' set
|
|
|
port = 22
|
|
|
- user = input("\n + Enter USER (ex: 'root'): ")
|
|
|
+ user = input("\n + Enter USER (default: 'root'): ")
|
|
|
if user == "": # default when no 'user' set
|
|
|
user = "root"
|
|
|
- pw = input("\n + Enter PASSWORD (ex: '12345'): ")
|
|
|
- verbosity = input("\n + Enter VERBOSITY (ex: 'true'): ")
|
|
|
- if verbosity == "True" or verbosity == "true": # default when no 'verbosity' set
|
|
|
+ pw = input("\n + Enter PASSWORD (default: 'root'): ")
|
|
|
+ if pw == "": # default when no 'password' set
|
|
|
+ ps = "root"
|
|
|
+ verbosity = input("\n + Enter VERBOSITY (default: 'false'): ")
|
|
|
+ if verbosity == "True" or verbosity == "true":
|
|
|
verbosity = True
|
|
|
else:
|
|
|
- verbosity = False
|
|
|
+ verbosity = False # default when no 'verbosity' set
|
|
|
return target, port, user, pw, verbosity
|
|
|
|
|
|
def print_banner():
|
|
@@ -198,7 +246,7 @@ def print_banner():
|
|
|
print("| |_ | | | | / / / // __/ __| |_| |")
|
|
|
print("| _|| |_| |/ /_ / /_\__ \__ \ _ |")
|
|
|
print("|_| \__,_/____/____|___/___/_| |_| by psy")
|
|
|
- print('\n"Simple SSH Protocol Fuzzing Tool"')
|
|
|
+ print('\n"SSH -Protocol- Fuzzing Tool"')
|
|
|
print("\n"+"-"*15+"\n")
|
|
|
print(" * VERSION: ")
|
|
|
print(" + "+VERSION+" - (rev:"+RELEASE+")")
|