psy 3 anni fa
parent
commit
6e2f0c382c
2 ha cambiato i file con 93 aggiunte e 42 eliminazioni
  1. 4 1
      README.md
  2. 89 41
      fuzzssh.py

+ 4 - 1
README.md

@@ -33,7 +33,8 @@
 
  To make donations use the following hash:
   
-     - Bitcoin: 19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
+     - [BTC]: 19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
+     - [ECO]: ETsRCBzaMawx3isvb5svX7tAukLdUFHKze
 
 ----------
 
@@ -43,3 +44,5 @@
 
 ![c](https://03c8.net/images/fuzzssh_poc2.png)
 
+![c](https://03c8.net/images/fuzzssh_poc3.png)
+

+ 89 - 41
fuzzssh.py

@@ -63,53 +63,98 @@ def payloading():
     num_payloads_bugs = len(payloads_bugs)
     return payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs
 
-def send_payload(client, payload, parameter, verbosity, num_payloads, method):
-    try: # FUZZED PARAMETERS
-        if parameter == "USERNAME":
+def send_payload(client, payload, parameter, verbosity, num_payloads, method): # FUZZED PARAMETERS
+    if parameter == "USERNAME":
+        try:
             client.connect(hostname=str(target),port=int(port),username=payload, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "PASSWORD":
+            client.close() # close SSH client
+        except:
+            pass # keep testing
+    elif parameter == "PASSWORD":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=payload, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "PKEY":
+        except:
+            pass # keep testing
+    elif parameter == "PKEY":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=payload, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "KEY_FILENAME":
+        except:
+            pass # keep testing
+    elif parameter == "KEY_FILENAME":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=payload, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "TIMEOUT":
+        except:
+            pass # keep testing
+    elif parameter == "TIMEOUT":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=payload, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "ALLOW_AGENT":
+        except:
+            pass # keep testing
+    elif parameter == "ALLOW_AGENT":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=payload, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "LOOK_FOR_KEYS":
+        except:
+            pass # keep testing
+    elif parameter == "LOOK_FOR_KEYS":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=payload, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "COMPRESS":
+        except:
+            pass # keep testing
+    elif parameter == "COMPRESS":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=payload, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "SOCK":
+        except:
+            pass # keep testing
+    elif parameter == "SOCK":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=payload, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "GSS_AUTH":
+        except:
+            pass # keep testing
+    elif parameter == "GSS_AUTH":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=payload, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "GSS_KEX":
+        except:
+            pass # keep testing
+    elif parameter == "GSS_KEX":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=payload, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "GSS_DELEG_CREDS":
+        except:
+            pass # keep testing
+    elif parameter == "GSS_DELEG_CREDS":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=payload, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "GSS_HOST":
+        except:
+            pass # keep testing
+    elif parameter == "GSS_HOST":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=payload, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "BANNER_TIMEOUT":
+        except:
+            pass # keep testing
+    elif parameter == "BANNER_TIMEOUT":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=payload, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "AUTH_TIMEOUT":
+        except:
+            pass # keep testing
+    elif parameter == "AUTH_TIMEOUT":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=payload, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
-        elif parameter == "GSS_TRUST_DNS":
+        except:
+            pass # keep testing
+    elif parameter == "GSS_TRUST_DNS":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=payload, passphrase=None, disabled_algorithms=None)
-        elif parameter == "PASSPHRASE":
+        except:
+            pass # keep testing
+    elif parameter == "PASSPHRASE":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=payload, disabled_algorithms=None)
-        elif parameter == "DISABLED_ALGORITHMS":
+        except:
+            pass # keep testing
+    elif parameter == "DISABLED_ALGORITHMS":
+        try:
             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=payload)
-    except paramiko.SSHException as e: # https://docs.paramiko.org/en/stable/api/ssh_exception.html
-        exception = str(e)
-        if not os.path.exists('exceptions.log'):
-            os.mknod('exceptions.log')
-        if not exception in open('exceptions.log').read():
-            f = open("exceptions.log", "a")
-            f.write("Exception error: %s\n\n" % exception)
-            f.close()
-    client.close() # close SSH client
+        except:
+            pass # keep testing
 
 def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs):
     try:
@@ -117,9 +162,9 @@ def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_nu
         client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
         client.load_system_host_keys()
         paramiko.util.log_to_file("/dev/null", level="INFO") # logs + bypass -> paramiko.SSHException issue (https://github.com/paramiko/paramiko/issues/1752)
-        print("[Info] Trying SSH [NORMAL] connection...\n")
+        print("[Info] Trying SSH connection...\n")
         client.connect(hostname=str(target),port=int(port),username=str(user),password=str(pw),timeout=10,banner_timeout=200,look_for_keys=False,allow_agent=False)
-        print("\n[Info] [NORMAL] Connection established -> OK!")
+        print("[Info] Connection established -> OK!")
         if verbosity is True:
             b = client.get_transport().remote_version
             print ("\n  -> [*] Banner:")
@@ -131,11 +176,12 @@ def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_nu
             print ("\n  -> [*] Key exchange algorithms:")
             for k in so.kex:
                 print("      -> "+str(k))
-        print("\n[Info] [NORMAL] Connection closed -> OK!")
+            print("\n[Info] Connection closed -> OK!")
         print("\n"+"="*50)
     except:
         print("="*50)
-        print ("\n[Error] [NORMAL] Connection failed! -> [PASSING!]")
+        print ("\n[Error] Connection failed! -> [ABORTING!]\n")
+        sys.exit()
     client.close() # close SSH client
     print("\n -> [*] Starting to test SSH (protocol)...")
     parameters = ("USERNAME", "PASSWORD", "PKEY", "KEY_FILENAME", "TIMEOUT", "ALLOW_AGENT", "LOOK_FOR_KEYS", "COMPRESS", "SOCK", "GSS_AUTH", "GSS_KEX", "GSS_DELEG_CREDS", "GSS_HOST", "BANNER_TIMEOUT", "AUTH_TIMEOUT", "GSS_TRUST_DNS", "PASSPHRASE", "DISABLED_ALGORITHMS") # FUZZED PARAMETERS
@@ -171,24 +217,26 @@ def set_target():
     target = input("\n  + Enter TARGET (ex: '100.0.0.1'): ")
     if target == "": # exit when no 'target' set
         print("\n"+"="*50)
-        print("\n[Error] Not ANY target detected... Exiting!\n")
+        print("\n[Error] Not ANY target detected -> [EXITING!]\n")
         sys.exit()
-    port = input("\n  + Enter PORT (ex: '22'): ")
+    port = input("\n  + Enter PORT (default: '22'): ")
     try: # check port as integer num
         port = int(port)
     except:
         port = 22
     if port == "": # default when no 'port' set
         port = 22
-    user = input("\n  + Enter USER (ex: 'root'): ")
+    user = input("\n  + Enter USER (default: 'root'): ")
     if user == "": # default when no 'user' set
         user = "root"
-    pw = input("\n  + Enter PASSWORD (ex: '12345'): ")
-    verbosity = input("\n  + Enter VERBOSITY (ex: 'true'): ")
-    if verbosity == "True" or verbosity == "true": # default when no 'verbosity' set
+    pw = input("\n  + Enter PASSWORD (default: 'root'): ")
+    if pw == "": # default when no 'password' set
+        ps = "root"
+    verbosity = input("\n  + Enter VERBOSITY (default: 'false'): ")
+    if verbosity == "True" or verbosity == "true":
         verbosity = True
     else:
-        verbosity = False
+        verbosity = False # default when no 'verbosity' set
     return target, port, user, pw, verbosity
 
 def print_banner():
@@ -198,7 +246,7 @@ def print_banner():
     print("| |_ | | | | / /  / // __/ __| |_| |")
     print("|  _|| |_| |/ /_ / /_\__ \__ \  _  |")
     print("|_|   \__,_/____/____|___/___/_| |_| by psy")
-    print('\n"Simple SSH Protocol Fuzzing Tool"')
+    print('\n"SSH -Protocol- Fuzzing Tool"')
     print("\n"+"-"*15+"\n")
     print(" * VERSION: ")
     print("   + "+VERSION+" - (rev:"+RELEASE+")")