Home Explore Help
Sign In
epsylon
/
fuzzssh
Watch 1
Star 0
Fork 0
Files Pull Requests 0
Branch: master
Branches Tags
fuzzssh
/
fuzzssh.py

fuzzssh.py 16 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267 
  1. #!/usr/bin/env python3 
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. """
    4. 

  4. FuzzSSH (Simple SSH Fuzzer) - 2022 - by psy (epsylon@riseup.net)
    5. 

  5. 

  6. You should have received a copy of the GNU General Public License along
    7. 

  7. with FuzzSSH; if not, write to the Free Software Foundation, Inc., 51
    8. 

  8. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    9. 

  9. ----------
    10. 

  10. See following RFCs for more info:
    11. 

  11.     rfc4251 - The SSH Protocol Architecture
    12. 

  12.     rfc4252 - The SSH Authentication Protocol
    13. 

  13.     rfc4253 - The SSH Transport Layer Protocol
    14. 

  14.     rfc4254 - The SSH Connection Protocol
    15. 

  15. ----------
    16. 

  16. Current [01/22][Paramiko] tested parameters: 
    17. 

  17.     username, password, pkey, key_filename, timeout, allow_agent, 
    18. 

  18.     look_for_keys, compress, sock, gss_auth, gss_kex, gss_deleg_creds, 
    19. 

  19.     gss_host, banner_timeout, auth_timeout, gss_trust_dns, passphrase, 
    20. 

  20.     disabled_algorithms
    21. 

  21. """
    22. 

  22. import sys, time, os
    23. 

  23. try:
    24. 

  24.     import paramiko
    25. 

  25. except:
    26. 

  26.     print("\nError importing: paramiko lib. \n\n To install it on Debian based systems:\n\n $ 'sudo apt-get install python3-paramiko'\n")
    27. 

  27.     sys.exit()
    28. 

  28. 

  29. VERSION = "v:0.1beta"
    30. 

  30. RELEASE = "12012022"
    31. 

  31. SOURCE1 = "https://code.03c8.net/epsylon/fuzzssh"
    32. 

  32. SOURCE2 = "https://github.com/epsylon/fuzzssh"
    33. 

  33. CONTACT = "epsylon@riseup.net - (https://03c8.net)"
    34. 

  34. 

  35. try:
    36. 

  36.     import payloads.payloads # import payloads
    37. 

  37. except:
    38. 

  38.     print ("\n[Info] Try to run the tool with Python3.x.y... (ex: python3 fuzzssh.py) -> [EXITING!]\n")
    39. 

  39.     sys.exit()
    40. 

  40. 

  41. def progressbar(it, prefix="", size=60, file=sys.stdout):
    42. 

  42.     count = len(it)
    43. 

  43.     def show(j):
    44. 

  44.         x = int(size*j/count)
    45. 

  45.         file.write("%s[%s%s] %i/%i\r" % (prefix, "#"*x, "."*(size-x), j, count))
    46. 

  46.         file.flush()        
    47. 

  47.     show(0)
    48. 

  48.     for i, item in enumerate(it):
    49. 

  49.         yield item
    50. 

  50.         show(i+1)
    51. 

  51.     file.write("\n")
    52. 

  52.     file.flush()
    53. 

  53. 

  54. def payloading():
    55. 

  55.     print("\n"+"="*50 + "\n")
    56. 

  56.     payloads_numbers = payloads.payloads.numbers # load 'numbers' payloads
    57. 

  57.     num_payloads_numbers = len(payloads_numbers)
    58. 

  58.     payloads_overflows = payloads.payloads.overflows # load 'overflows' payloads
    59. 

  59.     num_payloads_overflows = len(payloads_overflows)
    60. 

  60.     payloads_strings = payloads.payloads.strings # load 'strings' payloads
    61. 

  61.     num_payloads_strings = len(payloads_strings)
    62. 

  62.     payloads_bugs = payloads.payloads.bugs # load 'bugs' payloads
    63. 

  63.     num_payloads_bugs = len(payloads_bugs)
    64. 

  64.     return payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs
    65. 

  65. 

  66. def send_payload(client, payload, parameter, verbosity, num_payloads, method): # FUZZED PARAMETERS
    67. 

  67.     if parameter == "USERNAME":
    68. 

  68.         try:
    69. 

  69.             client.connect(hostname=str(target),port=int(port),username=payload, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    70. 

  70.             client.close() # close SSH client
    71. 

  71.         except:
    72. 

  72.             pass # keep testing
    73. 

  73.     elif parameter == "PASSWORD":
    74. 

  74.         try:
    75. 

  75.             client.connect(hostname=str(target),port=int(port),username=None, password=payload, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    76. 

  76.         except:
    77. 

  77.             pass # keep testing
    78. 

  78.     elif parameter == "PKEY":
    79. 

  79.         try:
    80. 

  80.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=payload, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    81. 

  81.         except:
    82. 

  82.             pass # keep testing
    83. 

  83.     elif parameter == "KEY_FILENAME":
    84. 

  84.         try:
    85. 

  85.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=payload, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    86. 

  86.         except:
    87. 

  87.             pass # keep testing
    88. 

  88.     elif parameter == "TIMEOUT":
    89. 

  89.         try:
    90. 

  90.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=payload, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    91. 

  91.         except:
    92. 

  92.             pass # keep testing
    93. 

  93.     elif parameter == "ALLOW_AGENT":
    94. 

  94.         try:
    95. 

  95.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=payload, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    96. 

  96.         except:
    97. 

  97.             pass # keep testing
    98. 

  98.     elif parameter == "LOOK_FOR_KEYS":
    99. 

  99.         try:
    100. 

  100.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=payload, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    101. 

  101.         except:
    102. 

  102.             pass # keep testing
    103. 

  103.     elif parameter == "COMPRESS":
    104. 

  104.         try:
    105. 

  105.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=payload, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    106. 

  106.         except:
    107. 

  107.             pass # keep testing
    108. 

  108.     elif parameter == "SOCK":
    109. 

  109.         try:
    110. 

  110.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=payload, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    111. 

  111.         except:
    112. 

  112.             pass # keep testing
    113. 

  113.     elif parameter == "GSS_AUTH":
    114. 

  114.         try:
    115. 

  115.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=payload, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    116. 

  116.         except:
    117. 

  117.             pass # keep testing
    118. 

  118.     elif parameter == "GSS_KEX":
    119. 

  119.         try:
    120. 

  120.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=payload, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    121. 

  121.         except:
    122. 

  122.             pass # keep testing
    123. 

  123.     elif parameter == "GSS_DELEG_CREDS":
    124. 

  124.         try:
    125. 

  125.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=payload, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    126. 

  126.         except:
    127. 

  127.             pass # keep testing
    128. 

  128.     elif parameter == "GSS_HOST":
    129. 

  129.         try:
    130. 

  130.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=payload, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    131. 

  131.         except:
    132. 

  132.             pass # keep testing
    133. 

  133.     elif parameter == "BANNER_TIMEOUT":
    134. 

  134.         try:
    135. 

  135.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=payload, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    136. 

  136.         except:
    137. 

  137.             pass # keep testing
    138. 

  138.     elif parameter == "AUTH_TIMEOUT":
    139. 

  139.         try:
    140. 

  140.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=payload, gss_trust_dns=True, passphrase=None, disabled_algorithms=None)
    141. 

  141.         except:
    142. 

  142.             pass # keep testing
    143. 

  143.     elif parameter == "GSS_TRUST_DNS":
    144. 

  144.         try:
    145. 

  145.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=payload, passphrase=None, disabled_algorithms=None)
    146. 

  146.         except:
    147. 

  147.             pass # keep testing
    148. 

  148.     elif parameter == "PASSPHRASE":
    149. 

  149.         try:
    150. 

  150.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=payload, disabled_algorithms=None)
    151. 

  151.         except:
    152. 

  152.             pass # keep testing
    153. 

  153.     elif parameter == "DISABLED_ALGORITHMS":
    154. 

  154.         try:
    155. 

  155.             client.connect(hostname=str(target),port=int(port),username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=payload)
    156. 

  156.         except:
    157. 

  157.             pass # keep testing
    158. 

  158. 

  159. def exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs):
    160. 

  160.     try:
    161. 

  161.         client = paramiko.SSHClient()
    162. 

  162.         client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    163. 

  163.         client.load_system_host_keys()
    164. 

  164.         paramiko.util.log_to_file("/dev/null", level="INFO") # logs + bypass -> paramiko.SSHException issue (https://github.com/paramiko/paramiko/issues/1752)
    165. 

  165.         print("[Info] Trying SSH connection...\n")
    166. 

  166.         client.connect(hostname=str(target),port=int(port),username=str(user),password=str(pw),timeout=10,banner_timeout=200,look_for_keys=False,allow_agent=False)
    167. 

  167.         print("[Info] Connection established -> OK!")
    168. 

  168.         if verbosity is True:
    169. 

  169.             b = client.get_transport().remote_version
    170. 

  170.             print ("\n  -> [*] Banner:")
    171. 

  171.             print("      -> "+str(b))
    172. 

  172.             so = client._transport.get_security_options()
    173. 

  173.             print ("\n  -> [*] Ciphering algorithms:")
    174. 

  174.             for c in so.ciphers:
    175. 

  175.                 print("      -> "+str(c))
    176. 

  176.             print ("\n  -> [*] Key exchange algorithms:")
    177. 

  177.             for k in so.kex:
    178. 

  178.                 print("      -> "+str(k))
    179. 

  179.             print("\n[Info] Connection closed -> OK!")
    180. 

  180.         print("\n"+"="*50)
    181. 

  181.     except:
    182. 

  182.         print("="*50)
    183. 

  183.         print ("\n[Error] Connection failed! -> [ABORTING!]\n")
    184. 

  184.         sys.exit()
    185. 

  185.     client.close() # close SSH client
    186. 

  186.     print("\n -> [*] Starting to test SSH (protocol)...")
    187. 

  187.     parameters = ("USERNAME", "PASSWORD", "PKEY", "KEY_FILENAME", "TIMEOUT", "ALLOW_AGENT", "LOOK_FOR_KEYS", "COMPRESS", "SOCK", "GSS_AUTH", "GSS_KEX", "GSS_DELEG_CREDS", "GSS_HOST", "BANNER_TIMEOUT", "AUTH_TIMEOUT", "GSS_TRUST_DNS", "PASSPHRASE", "DISABLED_ALGORITHMS") # FUZZED PARAMETERS
    188. 

  188.     for parameter in parameters:
    189. 

  189.         print("\n     -> [SSH] -> ["+str(parameter)+"]...\n")
    190. 

  190.         method = "         [*] Numbers       "
    191. 

  191.         for i in progressbar(range(num_payloads_numbers),method+" ", 40):
    192. 

  192.             time.sleep(0.7)
    193. 

  193.         for number in payloads_numbers:
    194. 

  194.             send_payload(client, number, parameter, verbosity, num_payloads_numbers, method)
    195. 

  195.             time.sleep(0.2)
    196. 

  196.         method = "         [*] Overflows     "
    197. 

  197.         for i in progressbar(range(num_payloads_overflows),method+" ", 40):
    198. 

  198.             time.sleep(0.7)
    199. 

  199.         for overflow in payloads_overflows:
    200. 

  200.             send_payload(client, overflow, parameter, verbosity, num_payloads_overflows, method)
    201. 

  201.             time.sleep(0.2)
    202. 

  202.         method = "         [*] Format Strings"
    203. 

  203.         for i in progressbar(range(num_payloads_strings),method+" ", 40):
    204. 

  204.             time.sleep(0.7)
    205. 

  205.         for string in payloads_strings:
    206. 

  206.             send_payload(client, string, parameter, verbosity, num_payloads_strings, method)
    207. 

  207.             time.sleep(0.2)
    208. 

  208.         method = "         [*] Known bugs    "
    209. 

  209.         for i in progressbar(range(num_payloads_bugs),method+" ", 40):
    210. 

  210.             time.sleep(0.7)
    211. 

  211.         for bug in payloads_bugs:
    212. 

  212.             send_payload(client, bug, parameter, verbosity, num_payloads_bugs, method)
    213. 

  213.             time.sleep(0.2)
    214. 

  214.         print("\n"+"-"*15)
    215. 

  215. 

  216. def set_target():
    217. 

  217.     target = input("\n  + Enter TARGET (ex: '100.0.0.1'): ")
    218. 

  218.     if target == "": # exit when no 'target' set
    219. 

  219.         print("\n"+"="*50)
    220. 

  220.         print("\n[Error] Not ANY target detected -> [EXITING!]\n")
    221. 

  221.         sys.exit()
    222. 

  222.     port = input("\n  + Enter PORT (default: '22'): ")
    223. 

  223.     try: # check port as integer num
    224. 

  224.         port = int(port)
    225. 

  225.     except:
    226. 

  226.         port = 22
    227. 

  227.     if port == "": # default when no 'port' set
    228. 

  228.         port = 22
    229. 

  229.     user = input("\n  + Enter USER (default: 'root'): ")
    230. 

  230.     if user == "": # default when no 'user' set
    231. 

  231.         user = "root"
    232. 

  232.     pw = input("\n  + Enter PASSWORD (default: 'root'): ")
    233. 

  233.     if pw == "": # default when no 'password' set
    234. 

  234.         ps = "root"
    235. 

  235.     verbosity = input("\n  + Enter VERBOSITY (default: 'false'): ")
    236. 

  236.     if verbosity == "True" or verbosity == "true":
    237. 

  237.         verbosity = True
    238. 

  238.     else:
    239. 

  239.         verbosity = False # default when no 'verbosity' set
    240. 

  240.     return target, port, user, pw, verbosity
    241. 

  241. 

  242. def print_banner():
    243. 

  243.     print("\n"+"="*50)
    244. 

  244.     print(" _____      __________        _   _ ")
    245. 

  245.     print("|  ___|   _|__  /__  /___ ___| | | |")
    246. 

  246.     print("| |_ | | | | / /  / // __/ __| |_| |")
    247. 

  247.     print("|  _|| |_| |/ /_ / /_\__ \__ \  _  |")
    248. 

  248.     print("|_|   \__,_/____/____|___/___/_| |_| by psy")
    249. 

  249.     print('\n"SSH -Protocol- Fuzzing Tool"')
    250. 

  250.     print("\n"+"-"*15+"\n")
    251. 

  251.     print(" * VERSION: ")
    252. 

  252.     print("   + "+VERSION+" - (rev:"+RELEASE+")")
    253. 

  253.     print("\n * SOURCES:")
    254. 

  254.     print("   + "+SOURCE1)
    255. 

  255.     print("   + "+SOURCE2)
    256. 

  256.     print("\n * CONTACT: ")
    257. 

  257.     print("   + "+CONTACT+"\n")
    258. 

  258.     print("-"*15+"\n")
    259. 

  259.     print("="*50)
    260. 

  260. 

  261. # sub_init #
    262. 

  262. print_banner() # show banner
    263. 

  263. print("\n"+"="*50)
    264. 

  264. target, port, user, pw, verbosity = set_target()
    265. 

  265. payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs = payloading()
    266. 

  266. exploit(target, port, user, pw, verbosity, payloads_numbers, num_payloads_numbers, payloads_overflows, num_payloads_overflows, payloads_strings, num_payloads_strings, payloads_bugs, num_payloads_bugs)
    267. 

  267.