Home Explore Help
Sign In
epsylon
/
fuzzssh
Watch 1
Star 0
Fork 0
Files Pull Requests 0
Tree: 43394476c2
Branches Tags
fuzzssh
/
fuzzssh.py

fuzzssh.py 15 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219 
  1. #!/usr/bin/env python3 
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. """
    4. 

  4. FuzzSSH (Simple SSH Fuzzer) - 2022 - by psy (epsylon@riseup.net)
    5. 

  5. 

  6. You should have received a copy of the GNU General Public License along
    7. 

  7. with FuzzSSH; if not, write to the Free Software Foundation, Inc., 51
    8. 

  8. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    9. 

  9. ----------
    10. 

  10. See following RFCs for more info:
    11. 

  11.     rfc4251 - The SSH Protocol Architecture
    12. 

  12.     rfc4252 - The SSH Authentication Protocol
    13. 

  13.     rfc4253 - The SSH Transport Layer Protocol
    14. 

  14.     rfc4254 - The SSH Connection Protocol
    15. 

  15. ----------
    16. 

  16. Current [01/22][Paramiko] tested parameters: 
    17. 

  17.     username, password, pkey, key_filename, timeout, allow_agent, 
    18. 

  18.     look_for_keys, compress, sock, gss_auth, gss_kex, gss_deleg_creds, 
    19. 

  19.     gss_host, banner_timeout, auth_timeout, gss_trust_dns, passphrase, 
    20. 

  20.     disabled_algorithms
    21. 

  21. """
    22. 

  22. import sys, time, os
    23. 

  23. try:
    24. 

  24.     import paramiko
    25. 

  25. except:
    26. 

  26.     print("\nError importing: paramiko lib. \n\n To install it on Debian based systems:\n\n $ 'sudo apt-get install python3-paramiko'\n")
    27. 

  27.     sys.exit()
    28. 

  28. 

  29. VERSION = "v:0.1beta"
    30. 

  30. RELEASE = "12012022"
    31. 

  31. SOURCE1 = "https://code.03c8.net/epsylon/fuzzssh"
    32. 

  32. SOURCE2 = "https://github.com/epsylon/fuzzssh"
    33. 

  33. CONTACT = "epsylon@riseup.net - (https://03c8.net)"
    34. 

  34. 

  35. try:
    36. 

  36.     import payloads.payloads # import payloads
    37. 

  37. except:
    38. 

  38.     print ("\n[Info] Try to run the tool with Python3.x.y... (ex: python3 fuzzssh.py) -> [EXITING!]\n")
    39. 

  39.     sys.exit()
    40. 

  40. 

  41. def progressbar(it, prefix="", size=60, file=sys.stdout):
    42. 

  42.     count = len(it)
    43. 

  43.     def show(j):
    44. 

  44.         x = int(size*j/count)
    45. 

  45.         file.write("%s[%s%s] %i/%i\r" % (prefix, "#"*x, "."*(size-x), j, count))
    46. 

  46.         file.flush()        
    47. 

  47.     show(0)
    48. 

  48.     for i, item in enumerate(it):
    49. 

  49.         yield item
    50. 

  50.         show(i+1)
    51. 

  51.     file.write("\n")
    52. 

  52.     file.flush()
    53. 

  53. 

  54. def payloading():
    55. 

  55.     print("\n"+"="*50 + "\n")
    56. 

  56.     payloads_numbers = payloads.payloads.numbers # load 'numbers' payloads
    57. 

  57.     num_payloads_numbers = len(payloads_numbers)
    58. 

  58.     payloads_overflows = payloads.payloads.overflows # load 'overflows' payloads
    59. 

  59.     num_payloads_overflows = len(payloads_overflows)
    60. 

  60.     payloads_strings = payloads.payloads.strings # load 'strings' payloads
    61. 

  61.     num_payloads_strings = len(payloads_strings)
    62. 

  62.     payloads_bugs = payloads.payloads.bugs # load 'bugs' payloads
    63. 

  63.     num_payloads_bugs = len(payloads_bugs)
    64. 

  64.     return payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs
    65. 

  65. 

  66. def send_payload(client, payload, parameter, verbosity, num_payloads, method):
    67. 

  67.     try: # FUZZED PARAMETERS
    68. 

  68.         if parameter == "USERNAME":
    69. 

  69.             client.connect(hostname=str(target),port=int(port),username=payload, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    70. 

  70.         elif parameter == "PASSWORD":
    71. 

  71.             client.connect(hostname=str(target),port=int(port),username=None, password=payload, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    72. 

  72.         elif parameter == "PKEY":
    73. 

  73.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=payload, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    74. 

  74.         elif parameter == "KEY_FILENAME":
    75. 

  75.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=payload, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    76. 

  76.         elif parameter == "TIMEOUT":
    77. 

  77.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=payload, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    78. 

  78.         elif parameter == "ALLOW_AGENT":
    79. 

  79.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=payload, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    80. 

  80.         elif parameter == "LOOK_FOR_KEYS":
    81. 

  81.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=payload, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    82. 

  82.         elif parameter == "COMPRESS":
    83. 

  83.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=payload, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    84. 

  84.         elif parameter == "SOCK":
    85. 

  85.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=payload, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    86. 

  86.         elif parameter == "GSS_AUTH":
    87. 

  87.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=payload, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    88. 

  88.         elif parameter == "GSS_KEX":
    89. 

  89.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=payload, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    90. 

  90.         elif parameter == "GSS_DELEG_CREDS":
    91. 

  91.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=payload, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    92. 

  92.         elif parameter == "GSS_HOST":
    93. 

  93.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=payload, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    94. 

  94.         elif parameter == "BANNER_TIMEOUT":
    95. 

  95.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=payload, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    96. 

  96.         elif parameter == "AUTH_TIMEOUT":
    97. 

  97.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=payload, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    98. 

  98.         elif parameter == "GSS_TRUST_DNS":
    99. 

  99.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=payload, passphrase=None, disabled_algorithms=None)
    100. 

  100.         elif parameter == "PASSPHRASE":
    101. 

  101.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=payload, disabled_algorithms=None)
    102. 

  102.         elif parameter == "DISABLED_ALGORITHMS":
    103. 

  103.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=payload)
    104. 

  104.     except paramiko.SSHException as e: # https://docs.paramiko.org/en/stable/api/ssh_exception.html
    105. 

  105.         exception = str(e)
    106. 

  106.         if not os.path.exists('exceptions.log'):
    107. 

  107.             os.mknod('exceptions.log')
    108. 

  108.         if not exception in open('exceptions.log').read():
    109. 

  109.             f = open("exceptions.log", "a")
    110. 

  110.             f.write("Exception error: %s\n\n" % exception)
    111. 

  111.             f.close()
    112. 

  112.     client.close() # close SSH client
    113. 

  113. 

  114. def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs):
    115. 

  115.     try:
    116. 

  116.         client = paramiko.SSHClient()
    117. 

  117.         client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    118. 

  118.         client.load_system_host_keys()
    119. 

  119.         paramiko.util.log_to_file("/dev/null", level="INFO") # logs + bypass -> paramiko.SSHException issue (https://github.com/paramiko/paramiko/issues/1752)
    120. 

  120.         print("[Info] Trying SSH [NORMAL] connection...\n")
    121. 

  121.         client.connect(hostname=str(target),port=int(port),username=str(user),password=str(pw),timeout=10,banner_timeout=200,look_for_keys=False,allow_agent=False)
    122. 

  122.         print("\n[Info] [NORMAL] Connection established -> OK!")
    123. 

  123.         if verbosity is True:
    124. 

  124.             b = client.get_transport().remote_version
    125. 

  125.             print ("\n  -> [*] Banner:")
    126. 

  126.             print("      -> "+str(b))
    127. 

  127.             so = client._transport.get_security_options()
    128. 

  128.             print ("\n  -> [*] Ciphering algorithms:")
    129. 

  129.             for c in so.ciphers:
    130. 

  130.                 print("      -> "+str(c))
    131. 

  131.             print ("\n  -> [*] Key exchange algorithms:")
    132. 

  132.             for k in so.kex:
    133. 

  133.                 print("      -> "+str(k))
    134. 

  134.         print("\n[Info] [NORMAL] Connection closed -> OK!")
    135. 

  135.         print("\n"+"="*50)
    136. 

  136.     except:
    137. 

  137.         print("="*50)
    138. 

  138.         print ("\n[Error] [NORMAL] Connection failed! -> [PASSING!]")
    139. 

  139.     client.close() # close SSH client
    140. 

  140.     print("\n -> [*] Starting to test SSH (protocol)...")
    141. 

  141.     parameters = ("USERNAME", "PASSWORD", "PKEY", "KEY_FILENAME", "TIMEOUT", "ALLOW_AGENT", "LOOK_FOR_KEYS", "COMPRESS", "SOCK", "GSS_AUTH", "GSS_KEX", "GSS_DELEG_CREDS", "GSS_HOST", "BANNER_TIMEOUT", "AUTH_TIMEOUT", "GSS_TRUST_DNS", "PASSPHRASE", "DISABLED_ALGORITHMS") # FUZZED PARAMETERS
    142. 

  142.     for parameter in parameters:
    143. 

  143.         print("\n     -> [SSH] -> ["+str(parameter)+"]...\n")
    144. 

  144.         method = "         [*] Numbers       "
    145. 

  145.         for i in progressbar(range(num_payloads_numbers),method+" ", 40):
    146. 

  146.             time.sleep(0.7)
    147. 

  147.         for number in payloads_numbers:
    148. 

  148.             send_payload(client, number, parameter, verbosity, num_payloads_numbers, method)
    149. 

  149.             time.sleep(0.2)
    150. 

  150.         method = "         [*] Overflows     "
    151. 

  151.         for i in progressbar(range(num_payloads_overflows),method+" ", 40):
    152. 

  152.             time.sleep(0.7)
    153. 

  153.         for overflow in payloads_overflows:
    154. 

  154.             send_payload(client, overflow, parameter, verbosity, num_payloads_overflows, method)
    155. 

  155.             time.sleep(0.2)
    156. 

  156.         method = "         [*] Format Strings"
    157. 

  157.         for i in progressbar(range(num_payloads_strings),method+" ", 40):
    158. 

  158.             time.sleep(0.7)
    159. 

  159.         for string in payloads_strings:
    160. 

  160.             send_payload(client, string, parameter, verbosity, num_payloads_strings, method)
    161. 

  161.             time.sleep(0.2)
    162. 

  162.         method = "         [*] Known bugs    "
    163. 

  163.         for i in progressbar(range(num_payloads_bugs),method+" ", 40):
    164. 

  164.             time.sleep(0.7)
    165. 

  165.         for bug in payloads_bugs:
    166. 

  166.             send_payload(client, bug, parameter, verbosity, num_payloads_bugs, method)
    167. 

  167.             time.sleep(0.2)
    168. 

  168.         print("\n"+"-"*15)
    169. 

  169. 

  170. def set_target():
    171. 

  171.     target = input("\n  + Enter TARGET (ex: '100.0.0.1'): ")
    172. 

  172.     if target == "": # exit when no 'target' set
    173. 

  173.         print("\n"+"="*50)
    174. 

  174.         print("\n[Error] Not ANY target detected... Exiting!\n")
    175. 

  175.         sys.exit()
    176. 

  176.     port = input("\n  + Enter PORT (ex: '22'): ")
    177. 

  177.     try: # check port as integer num
    178. 

  178.         port = int(port)
    179. 

  179.     except:
    180. 

  180.         port = 22
    181. 

  181.     if port == "": # default when no 'port' set
    182. 

  182.         port = 22
    183. 

  183.     user = input("\n  + Enter USER (ex: 'root'): ")
    184. 

  184.     if user == "": # default when no 'user' set
    185. 

  185.         user = "root"
    186. 

  186.     pw = input("\n  + Enter PASSWORD (ex: '12345'): ")
    187. 

  187.     verbosity = input("\n  + Enter VERBOSITY (ex: 'true'): ")
    188. 

  188.     if verbosity == "True" or verbosity == "true": # default when no 'verbosity' set
    189. 

  189.         verbosity = True
    190. 

  190.     else:
    191. 

  191.         verbosity = False
    192. 

  192.     return target, port, user, pw, verbosity
    193. 

  193. 

  194. def print_banner():
    195. 

  195.     print("\n"+"="*50)
    196. 

  196.     print(" _____      __________        _   _ ")
    197. 

  197.     print("|  ___|   _|__  /__  /___ ___| | | |")
    198. 

  198.     print("| |_ | | | | / /  / // __/ __| |_| |")
    199. 

  199.     print("|  _|| |_| |/ /_ / /_\__ \__ \  _  |")
    200. 

  200.     print("|_|   \__,_/____/____|___/___/_| |_| by psy")
    201. 

  201.     print('\n"Simple SSH Protocol Fuzzing Tool"')
    202. 

  202.     print("\n"+"-"*15+"\n")
    203. 

  203.     print(" * VERSION: ")
    204. 

  204.     print("   + "+VERSION+" - (rev:"+RELEASE+")")
    205. 

  205.     print("\n * SOURCES:")
    206. 

  206.     print("   + "+SOURCE1)
    207. 

  207.     print("   + "+SOURCE2)
    208. 

  208.     print("\n * CONTACT: ")
    209. 

  209.     print("   + "+CONTACT+"\n")
    210. 

  210.     print("-"*15+"\n")
    211. 

  211.     print("="*50)
    212. 

  212. 

  213. # sub_init #
    214. 

  214. print_banner() # show banner
    215. 

  215. print("\n"+"="*50)
    216. 

  216. target, port, user, pw, verbosity = set_target()
    217. 

  217. payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs = payloading()
    218. 

  218. exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs)
    219. 

  219.