Test SSH Github Access - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssh/ssh_enum_git_keys metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Test SSH Github Access
Module: auxiliary/scanner/ssh/ssh_enum_git_keys
Source code: modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb
Disclosure date: -
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will attempt to test remote Git access using (.ssh/id_* private keys). This works against GitHub and GitLab by default, but can easily be extended to support more server types.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssh/ssh_enum_git_keys
msf auxiliary(ssh_enum_git_keys) > show options
... show and set options ...
msf auxiliary(ssh_enum_git_keys) > set RHOSTS ip-range
msf auxiliary(ssh_enum_git_keys) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ssh_enum_git_keys) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ssh_enum_git_keys) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ssh_enum_git_keys) > set RHOSTS file:/tmp/ip_list.txt
Knowledge Base
Introduction
This module attempts to authenticate to Git servers using compromised SSH private keys. This module can be used to check a single key or recursively look through a directory. It will not attempt to check keys that have a passphrase, however a bruteforce attack could be launched on a key and then the passphrase could be disabled.
Setup
ssh-keygen -b 2048 -t rsa
- Add the RSA pubic key to a GitHub or GitLab account (Public ends in .pub)
- Follow the usage instructions below
- Either use KEY_FILE or KEY_DIR to specify the generated SSH private key
- Run the module
- Observe that it will identify the GitHub/GitLab user that this key belongs to
Usage
msf5 > use auxiliary/scanner/ssh/ssh_enum_git_keys
msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > set KEY_DIR /Users/w/.ssh
KEY_DIR => /Users/w/.ssh
msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > run
Git Access Data
===============
Key Location User Access
------------ -----------
/Users/w/.ssh/id_ed25519 wdahlenburg
[*] Auxiliary module execution completed
Post Exploitation
Once you have identified a Git user from an SSH key, there are two immediate possibilities.
- Download private repositories that the owner knows
- Modify public repositories and inject a backdoor
To begin either, the valid keys will need to be added to the current ~/.ssh/config
.
Example: Using a valid key at /Users/w/.ssh/id_ed25519
- Write the following to
~/.ssh/config
Host github User git Hostname github.com PreferredAuthentications publickey IdentityFile /Users/w/.ssh/id_ed25519
- Clone a repo using the key
$ git clone github:<username>/Repo.git
- Alternatively, modify an existing local repo by modifying the .git/config file
... [remote "origin"] url = github:username/reponame.git ...
4. Any changes will be pushed using the specified key. Make sure you set the git aliases to match your target.
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssh/ssh_enum_git_keys auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssh/ssh_enum_git_keys
msf6 auxiliary(scanner/ssh/ssh_enum_git_keys) > show info
Name: Test SSH Github Access
Module: auxiliary/scanner/ssh/ssh_enum_git_keys
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Wyatt Dahlenburg ( <Wyatt Dahlenburg (@wdahlenb)>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
GITSERVER github.com yes Parameter to specify alternate Git Server (GitHub, GitLab, etc)
KEY_DIR no Directory of several keys. Filenames will be recursivley found matching id_* (Ex: /home/user/.ssh)
KEY_FILE no Filename of a private key.
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module will attempt to test remote Git access using (.ssh/id_*
private keys). This works against GitHub and GitLab by default, but
can easily be extended to support more server types.
References:
https://help.github.com/en/articles/testing-your-ssh-connection
Module Options
This is a complete list of options available in the scanner/ssh/ssh_enum_git_keys auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_enum_git_keys) > show options
Module options (auxiliary/scanner/ssh/ssh_enum_git_keys):
Name Current Setting Required Description
---- --------------- -------- -----------
GITSERVER github.com yes Parameter to specify alternate Git Server (GitHub, GitLab, etc)
KEY_DIR no Directory of several keys. Filenames will be recursivley found matching id_* (Ex: /home/user/.ssh)
KEY_FILE no Filename of a private key.
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssh/ssh_enum_git_keys auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_enum_git_keys) > show advanced
Module advanced options (auxiliary/scanner/ssh/ssh_enum_git_keys):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssh/ssh_enum_git_keys module can do:
msf6 auxiliary(scanner/ssh/ssh_enum_git_keys) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssh/ssh_enum_git_keys auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssh/ssh_enum_git_keys) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<FILE> - No valid keys found
Here is a relevant code snippet related to the "<FILE> - No valid keys found" error message:
75: in_key = false
76: keys << file unless has_passphrase?(file)
77: end
78: end
79: if keys.empty?
80: print_error "#{file} - No valid keys found"
81: end
82: return keys
83: end
84:
85: def parse_user(output)
Please specify a KEY_FILE or KEY_DIR
Here is a relevant code snippet related to the "Please specify a KEY_FILE or KEY_DIR" error message:
153: check_git_keys(keys)
154: end
155:
156: def run
157: if datastore['KEY_FILE'].nil? && datastore['KEY_DIR'].nil?
158: fail_with Failure::BadConfig, 'Please specify a KEY_FILE or KEY_DIR'
159: elsif !(key_file.blank? ^ key_dir.blank?)
160: fail_with Failure::BadConfig, 'Please only specify one KEY_FILE or KEY_DIR'
161: end
162:
163: results = test_keys
Please only specify one KEY_FILE or KEY_DIR
Here is a relevant code snippet related to the "Please only specify one KEY_FILE or KEY_DIR" error message:
155:
156: def run
157: if datastore['KEY_FILE'].nil? && datastore['KEY_DIR'].nil?
158: fail_with Failure::BadConfig, 'Please specify a KEY_FILE or KEY_DIR'
159: elsif !(key_file.blank? ^ key_dir.blank?)
160: fail_with Failure::BadConfig, 'Please only specify one KEY_FILE or KEY_DIR'
161: end
162:
163: results = test_keys
164: return if results.empty?
165:
Go back to menu.
Related Pull Requests
References
See Also
Check also the following modules related to this module:
- auxiliary/scanner/ssh/ssh_enumusers
- auxiliary/scanner/ssh/ssh_identify_pubkeys
- auxiliary/scanner/ssh/ssh_login
- auxiliary/scanner/ssh/ssh_login_pubkey
- auxiliary/scanner/ssh/ssh_version
- auxiliary/scanner/ssh/apache_karaf_command_execution
- auxiliary/scanner/ssh/cerberus_sftp_enumusers
- auxiliary/scanner/ssh/detect_kippo
- auxiliary/scanner/ssh/eaton_xpert_backdoor
- auxiliary/scanner/ssh/fortinet_backdoor
- auxiliary/scanner/ssh/juniper_backdoor
- auxiliary/scanner/ssh/karaf_login
- auxiliary/scanner/ssh/libssh_auth_bypass
- auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
- auxiliary/fuzzers/ssh/ssh_version_15
- auxiliary/fuzzers/ssh/ssh_version_2
- auxiliary/fuzzers/ssh/ssh_version_corrupt
- post/multi/gather/ssh_creds
- auxiliary/dos/windows/ssh/sysax_sshd_kexchange
- auxiliary/admin/http/cisco_7937g_ssh_privesc
- auxiliary/admin/http/typo3_winstaller_default_enc_keys
- exploit/linux/local/sophos_wpa_clear_keys
- exploit/windows/ldap/pgp_keyserver7
- post/multi/gather/aws_keys
- post/windows/gather/enum_ms_product_keys
- post/windows/manage/sticky_keys
- auxiliary/scanner/http/cgit_traversal
- auxiliary/scanner/http/gitlab_graphql_user_enum
- auxiliary/scanner/http/gitlab_login
- auxiliary/scanner/http/gitlab_user_enum
- auxiliary/scanner/http/git_scanner
- auxiliary/admin/http/gitstack_rest
Authors
- Wyatt Dahlenburg (@wdahlenb)
Version
This page has been produced using Metasploit Framework version 6.1.36-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.