In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS.
The funny thing is that this server was implemented by copy & pasting the example from the web, which had the Port forwarding feature enabled.
After running a bruteforce attack, we found that the admin account had the "admin" password (strong password policy btw), but when we tried to login there was no shell, the server echoed everything we typed. So we went for the Port forwarding option, we forwarded some ports to interesting services like Terminal Server in the same machine and it worked, so then we though that would be great to be able to scan the internal network through this port forwarding feature, and that´s how we came up with this SSHscan tool.
SSHscan.py will allow you to scan a internal network through a SSH with port forwarding enabled. The tool allows to create a port forward in localhost for every open port detected in the internal network range.
This tool is not one that can be used in every engagement but when you have the opportunity and the need it will came handy.
The tool has been included in the edgeSSH kit, where we will include all the scripts related with SSH, at the moment only bruteSSH, a SSH login bruteforcer and scanSSH are included in the kit.
You can download the code here://code.google.com/p/edgessh
Command line options:
-h: target host
-u: username
-p: password
-l: targets lists to scan
-t: threads
--remote-host: host to scan
--remote-ports: port list to scan
--default-ports: scan default ports
--all-ports: scan all 65535 ports
--keep-tunnels: Forward all open ports
Examples:
scanssh.py -h 192.168.1.55 -u root -p passowrd -t list.txt
scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --remote-ports 80,443
scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --default-ports
Enjoy Edge-Security
Edge-security blog about Penetration testing, OSINT, security tools, and other interesting stuff.
Wednesday, June 22, 2011
Subscribe to:
Posts (Atom)
Wfuzz 2.2.0 released
I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...
-
In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
-
I'm pleased to announce a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
-
In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS. The funny thing is that this server was ...