Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems when running the ssh plugin #20

Closed
bleh92 opened this issue Nov 7, 2023 · 23 comments
Closed

Problems when running the ssh plugin #20

bleh92 opened this issue Nov 7, 2023 · 23 comments
Assignees
Labels
bug Something isn't working

Comments

@bleh92
Copy link

bleh92 commented Nov 7, 2023

Helloo,
I am a github noob, so forgive me if I am doing this wrong.

So I was testing your tool to brute force SSH credentials on 2 machines in my network. I have installed all the dependencies and the tool runs without any error.
My machine:-
Linux Bruteforcer 5.4.0-166-generic #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

It is the same for the other 2 machines as well.

So the command I used was:
./legba ssh --username ubuntu --password wordlists/passwords.txt --target @target.txt -O result --output-format jsonl -Q
and go the expected result
image

Also note that the only password stored in the passwords.txt is Lab4man1.
image

When I run the same command but this time remove the -Q flag, I get this error
image

This keeps running forever, until I stop it.

If there are multiple passwords in the password list the same error as the over one is noticed. But in case of -Q flag , it doesn't run forever.

Multiple passwords file:
image

./legba ssh --username ubuntu --password wordlists/password-new.txt --target @target.txt -O result --output-format jsonl

image

./legba ssh --username ubuntu --password wordlists/password-new.txt --target @target.txt -O result --output-format jsonl -Q

image

Once again , sorry If this isn't the way to ask a question.
Thank you.

@evilsocket
Copy link
Owner

@bleh92 none of these are errors, but informative messages of the progress, except for the last one ... in the last one, I can see the machines are not responding anymore ("deadline has elapsed" means a timeout while connecting) so the reason why it's taking forever is probably because they've stopped responding after the first attempt?

can you ssh manually to those machines when this is happening?

@bleh92
Copy link
Author

bleh92 commented Nov 7, 2023

@bleh92 none of these are errors, but informative messages of the progress, except for the last one ... in the last one, I can see the machines are not responding anymore ("deadline has elapsed" means a timeout while connecting) so the reason why it's taking forever is probably because they've stopped responding after the first attempt?

can you ssh manually to those machines when this is happening?

Yes, I checked just now. I am able to ssh simultaneously while the script is running.

@evilsocket
Copy link
Owner

to both targets, from the same machine? is fail2ban active?

@bleh92
Copy link
Author

bleh92 commented Nov 7, 2023

Yes, I am able to ssh to both .10 and .11 at the same time, while the script is running, and both .10 and .11 are fresh installations.
But just in case
A screenshot of .10 machine
image

@evilsocket
Copy link
Owner

mmm weird ... can you run legba by prepending RUST_LOG=debug and pasting the log here please?

RUST_LOG=debug ./legba ssh --username ubuntu --password wordlists/passwords.txt --target @target.txt

@evilsocket evilsocket reopened this Nov 7, 2023
@bleh92
Copy link
Author

bleh92 commented Nov 7, 2023

For the command you have suggested above, it again runs endlessly
image

when I run it using -Q i.e,
RUST_LOG=debug ./legba ssh --username ubuntu --password wordlists/passwords.txt --target @target.txt -Q
this password file has only 1 password which is Lab4man1, which is the correct password to login to my machines.

this is the output.
legba v0.4.0

`[INFO ] targets (2): @target.txt
[DEBUG] loading wordlist from wordlists/passwords.txt ...
[DEBUG] loading wordlist from wordlists/passwords.txt ...
[INFO ] username -> string 'ubuntu'
[INFO ] password -> wordlist wordlists/passwords.txt

[DEBUG] loading wordlist from wordlists/passwords.txt ...
[DEBUG] loading wordlist from wordlists/passwords.txt ...
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] read_ssh_id: reading
[DEBUG] read_ssh_id: reading
[DEBUG] read 41
[DEBUG] Ok("SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9\r\n")
[DEBUG] writing, seqn = 0
[DEBUG] padding length 10
[DEBUG] packet_length 628
[DEBUG] writing 632 bytes
[DEBUG] id 41 41
[DEBUG] read 41
[DEBUG] Ok("SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9\r\n")
[DEBUG] writing, seqn = 0
[DEBUG] padding length 10
[DEBUG] packet_length 628
[DEBUG] writing 632 bytes
[DEBUG] id 41 41
[DEBUG] reading, len = [0, 0, 4, 28]
[DEBUG] reading, seqn = 0
[DEBUG] reading, clear len = 1052
[DEBUG] read_exact 1056
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] extending []
[DEBUG] kex 189
[DEBUG] kex 211
[DEBUG] kex 219
[DEBUG] client_compression = None
[DEBUG] algo = Names { kex: Name("curve25519-sha256"), key: Name("ssh-ed25519"), cipher: Name("[email protected]"), client_mac: Name("[email protected]"), server_mac: Name("[email protected]"), server_compression: None, client_compression: None, ignore_guessed: false }
[DEBUG] write = []
[DEBUG] i0 = 617
[DEBUG] writing, seqn = 1
[DEBUG] padding length 6
[DEBUG] packet_length 44
[DEBUG] moving to kexdhdone, exchange = Exchange { client_id: CryptoVec { p: 0x7f1678014260, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678014210, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780146e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801a2b0, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801ae90, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x1, size: 0, capacity: 0 } }
[DEBUG] reading, len = [0, 0, 4, 28]
[DEBUG] reading, seqn = 0
[DEBUG] reading, clear len = 1052
[DEBUG] read_exact 1056
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] extending []
[DEBUG] kex 189
[DEBUG] kex 211
[DEBUG] kex 219
[DEBUG] client_compression = None
[DEBUG] algo = Names { kex: Name("curve25519-sha256"), key: Name("ssh-ed25519"), cipher: Name("[email protected]"), client_mac: Name("[email protected]"), server_mac: Name("[email protected]"), server_compression: None, client_compression: None, ignore_guessed: false }
[DEBUG] write = []
[DEBUG] i0 = 617
[DEBUG] writing, seqn = 1
[DEBUG] padding length 6
[DEBUG] packet_length 44
[DEBUG] moving to kexdhdone, exchange = Exchange { client_id: CryptoVec { p: 0x7f1678008bb0, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678008b60, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780091e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801bb00, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801c310, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x1, size: 0, capacity: 0 } }
[DEBUG] reading, len = [0, 0, 0, 188]
[DEBUG] reading, seqn = 1
[DEBUG] reading, clear len = 188
[DEBUG] read_exact 192
[DEBUG] read_exact done
[DEBUG] reading, padding_length 8
[DEBUG] server_public_Key: Ed25519(VerifyingKey(CompressedEdwardsY: [176, 89, 240, 59, 145, 177, 144, 145, 134, 188, 229, 229, 134, 252, 139, 105, 93, 164, 89, 8, 146, 157, 159, 153, 115, 51, 104, 149, 73, 159, 113, 237]), EdwardsPoint{
X: FieldElement51([728083680119007, 436116878926261, 1961446992170349, 446738616696109, 1587327731806879]),
Y: FieldElement51([195237333981616, 242703091683890, 394249906827250, 485764287613188, 1925356338108035]),
Z: FieldElement51([1, 0, 0, 0, 0]),
T: FieldElement51([1493877698679165, 457010286071527, 1037602397152548, 498966669971339, 2077064360606616])
}))
[DEBUG] kexdhdone.exchange = Exchange { client_id: CryptoVec { p: 0x7f1678014260, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678014210, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780146e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801a2b0, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801ae90, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x7f167801c370, size: 32, capacity: 32 } }
[DEBUG] exchange hash: CryptoVec { p: 0x7f167801c3e0, size: 32, capacity: 32 }
[DEBUG] sig_type: [115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57]
[DEBUG] signature: [5, 93, 130, 33, 114, 229, 80, 99, 52, 121, 224, 63, 140, 247, 72, 207, 147, 21, 2, 48, 208, 31, 217, 250, 34, 99, 0, 93, 101, 226, 96, 207, 97, 4, 121, 192, 74, 193, 101, 123, 232, 245, 108, 46, 27, 20, 78, 21, 144, 11, 37, 200, 103, 205, 76, 19, 14, 49, 102, 212, 153, 198, 226, 10]
[DEBUG] writing, seqn = 2
[DEBUG] padding length 10
[DEBUG] packet_length 12
[DEBUG] reading, len = [0, 0, 0, 12]
[DEBUG] reading, seqn = 2
[DEBUG] reading, clear len = 12
[DEBUG] read_exact 16
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] newkeys received
[DEBUG] sending ssh-userauth service requset
[DEBUG] writing, seqn = 3
[DEBUG] padding length 6
[DEBUG] packet_length 24
[DEBUG] write_auth_request_if_needed: is_waiting = false
[DEBUG] reading, len = [0, 0, 0, 188]
[DEBUG] reading, seqn = 1
[DEBUG] reading, clear len = 188
[DEBUG] read_exact 192
[DEBUG] read_exact done
[DEBUG] reading, padding_length 8
[DEBUG] server_public_Key: Ed25519(VerifyingKey(CompressedEdwardsY: [169, 140, 1, 56, 240, 250, 4, 169, 213, 182, 198, 189, 25, 151, 248, 109, 174, 181, 143, 194, 145, 151, 91, 24, 20, 108, 241, 207, 170, 3, 226, 76]), EdwardsPoint{
X: FieldElement51([1898668734245506, 1260599826782178, 735215080225294, 699367638464146, 2019178350260172]),
Y: FieldElement51([1401809545563305, 905691948299552, 632041913180764, 1699897284479201, 1352537725533974]),
Z: FieldElement51([1, 0, 0, 0, 0]),
T: FieldElement51([1120108582023427, 1657369740754767, 1051851098579530, 903210842353603, 1557818474780106])
}))
[DEBUG] kexdhdone.exchange = Exchange { client_id: CryptoVec { p: 0x7f1678008bb0, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678008b60, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780091e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801bb00, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801c310, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x7f1678002950, size: 32, capacity: 32 } }
[DEBUG] exchange hash: CryptoVec { p: 0x7f1678002980, size: 32, capacity: 32 }
[DEBUG] sig_type: [115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57]
[DEBUG] signature: [58, 101, 78, 230, 225, 189, 100, 6, 245, 32, 184, 190, 251, 195, 168, 114, 192, 90, 54, 136, 211, 117, 5, 111, 255, 20, 187, 161, 89, 107, 254, 67, 232, 84, 120, 239, 242, 249, 138, 218, 201, 205, 50, 165, 240, 120, 212, 182, 20, 128, 125, 41, 206, 145, 232, 100, 151, 46, 19, 179, 86, 248, 62, 15]
[DEBUG] writing, seqn = 2
[DEBUG] padding length 10
[DEBUG] packet_length 12
[DEBUG] reading, len = [0, 0, 0, 12]
[DEBUG] reading, seqn = 2
[DEBUG] reading, clear len = 12
[DEBUG] read_exact 16
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] newkeys received
[DEBUG] sending ssh-userauth service requset
[DEBUG] writing, seqn = 3
[DEBUG] padding length 6
[DEBUG] packet_length 24
[DEBUG] write_auth_request_if_needed: is_waiting = false
[DEBUG] reading, len = [144, 64, 88, 9]
[DEBUG] reading, seqn = 3
[DEBUG] reading, clear len = 40
[DEBUG] read_exact 44
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] waiting service request, Some(6) 6
[DEBUG] enc: [0, 0, 0, 54, 50, 0, 0, 0, 6, 117, 98, 117, 110, 116, 117, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 8, 112, 97, 115, 115, 119, 111, 114, 100, 0, 0, 0, 0, 8, 76, 97, 98, 52, 109, 97, 110, 49]
[DEBUG] writing, seqn = 4
[DEBUG] padding length 9
[DEBUG] packet_length 64
[DEBUG] reading, len = [178, 215, 73, 39]
[DEBUG] reading, seqn = 3
[DEBUG] reading, clear len = 40
[DEBUG] read_exact 44
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] waiting service request, Some(6) 6
[DEBUG] enc: [0, 0, 0, 54, 50, 0, 0, 0, 6, 117, 98, 117, 110, 116, 117, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 8, 112, 97, 115, 115, 119, 111, 114, 100, 0, 0, 0, 0, 8, 76, 97, 98, 52, 109, 97, 110, 49]
[DEBUG] writing, seqn = 4
[DEBUG] padding length 9
[DEBUG] packet_length 64
[DEBUG] reading, len = [208, 109, 9, 59]
[DEBUG] reading, seqn = 4
[DEBUG] reading, clear len = 24
[DEBUG] read_exact 28
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] userauth_success
[DEBUG] drop handle
[INFO ] [2023-11-07 11:27:43] (ssh) <10.10.100.11:22> username=ubuntu password=Lab4man1
[DEBUG] disconnected
[DEBUG] drop session
[DEBUG] reading, len = [88, 244, 218, 164]
[DEBUG] reading, seqn = 4
[DEBUG] reading, clear len = 24
[DEBUG] read_exact 28
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] userauth_success
[DEBUG] drop handle
[INFO ] [2023-11-07 11:27:43] (ssh) <10.10.100.10:22> username=ubuntu password=Lab4man1
[DEBUG] disconnected
[DEBUG] drop session
[INFO ] runtime 1.000311534s`

for the password list containing multiple passwords:
RUST_LOG=debug ./legba ssh --username ubuntu --password wordlists/passwords-new.txt --target @target.txt -Q
It is too huge so I will upload it as file

debug.log

@evilsocket
Copy link
Owner

evilsocket commented Nov 7, 2023

mmm any network timeouts or similar in dmesg? what are the specs of the bruteforcing machine? ethernet or wifi? what if you increase the timeout by --timeout 10000?

PS: thank you for the logs

@bleh92
Copy link
Author

bleh92 commented Nov 7, 2023

Ok so the whole setup is being run using proxmox.
Linux Bruteforcer 5.4.0-166-generic #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

The Machine has 4 GB RAM and 2 core processor and I am accessing the machine over vpn. I myself am using wifi on my computer to connect to them.

For more information

image
image

The machines are in the same subnet and can communicate with each other, as I am able to ssh into them from bruteforcer

as for network timeouts in dmesg, there are none
image

The timeout -10000 it kept running until i stopped it.
image

@zip609
Copy link

zip609 commented Nov 8, 2023

Greetings. First of all, I want to express my gratitude to the author, you are great! This is a very cool tool! Unfortunately, I want to inform you that I have exactly the same problem ssh as bleh92. Thank you very much for your work.

@evilsocket
Copy link
Owner

@zip609 hi! can you try with v0.5.0 and, if the error persists, provide me the debug log by running with RUST_LOG=debug ... please?

@bleh92
Copy link
Author

bleh92 commented Nov 8, 2023

Hallo, I don't know if this helps, but RDP plugin is working fine with the same parameters, there probably is a problem with ssh plugin.

./legba rdp --target 10.10.10.28 --username <user> --password wordlists/passwords-new.txt --rdp-domain <domain.local> -O result --output-format jsonl -Q

But when I remove the -Q flag, it again runs endlessly. Similar to what's happening with the ssh plugin.

@evilsocket
Copy link
Owner

I'm failing to reproduce it here ... I'm forcing 2 tasks, using a wordlist with 3 passwords and a targets.txt file with one working ip and one down, and as expected I get this:

Screenshot 2023-11-09 alle 14 04 13

@bleh92
Copy link
Author

bleh92 commented Nov 9, 2023

I see that you are using version v0.5.1, I have also updated to the latest version, but the error persists.
image

I will try running it on my local set-up and give you an update tomorrow.

If it runs there without any problems, it has to be an issue within the Datacenter machines i am using.

Edit:

The script is still not working. I had a friend of mine try your tool from his machine. He ran the script on kali and was trying to bruteforce ssh on to an ubuntu machine. They are both connected via NAT, on his VMware workstation pro.
These were the results.

Version info-
image

Tasks running endlessly-
image

Using -Q flag-
image

ssh into the machine-
image

@evilsocket
Copy link
Owner

Are you running the tool from within a VM as well? NAT?

@bleh92
Copy link
Author

bleh92 commented Nov 13, 2023

Yes, previously I was running the tool on machines set up in proxmox, since they weren't working, I had a friend of mine, run the tool on his kali machine which is installed in vmware workstation. He tried to bruteforce the ssh credentials of another ubuntu machine in VMware, in the same network/subnet(NAT configuration, Just like your home network with a wireless router, the VM will be assigned in a separate subnet, like 192.168.6.1 is your host computer, and VM is 192.168.6.3, then your VM can access outside network like your host, but no outside access to your VM directly, it's protected.), but was getting the same errors I got when I run it over the machines in proxmox.
Hope I am making sense.

@evilsocket
Copy link
Owner

Understood, can you send a screenshot of the VMs network configuration (both from the host, so a screenshot of the vmware/virtualbox network config, and from the guests) so I can try to replicate?

@evilsocket
Copy link
Owner

Also, in the debug.log i see several [DEBUG] Err(Utf8Error { valid_up_to: 48, error_len: Some(1) }) errors ... may I ask if the passwords contain non UTF8 characters, or maybe the ssh server host?

@evilsocket
Copy link
Owner

i was finally able to replicate this using two VMs, debugging & fix in progress

@evilsocket evilsocket added the bug Something isn't working label Nov 15, 2023
@evilsocket
Copy link
Owner

@bleh92 turns out that it is a timeout problem, with few cores (I see 2 in that case) the timeout must be increased. I managed to work around the issue by using --timeout 5000 (or higher). That should solve it for you as well.

Closing for the time being, looking forward to your feedback.

@bleh92
Copy link
Author

bleh92 commented Nov 20, 2023

Hello,
So I used this command
legba ssh --username ubuntu --password wordlists/passwords.txt --target @targets.txt -O result --output-format jsonl --timeout 15000 legba v0.6.0
image

And again I get the same time out error, but the good news is that with -Q flag it works fine
legba ssh --username ubuntu --password wordlists/passwords.txt --target @targets.txt -O result --output-format jsonl -Q legba v0.6.0
image

Password list

image

@bleh92
Copy link
Author

bleh92 commented Nov 20, 2023

Also, in the debug.log i see several [DEBUG] Err(Utf8Error { valid_up_to: 48, error_len: Some(1) }) errors ... may I ask if the passwords contain non UTF8 characters, or maybe the ssh server host?

Ok, so the I think I found the cause for this. So my laptop keyboard seems to be broken. When I create the wordlist using my external keyboard, it worked fine. But when I created the wordlist using the in built keyboard, it failed. Looks like the tab button is being registered sometimes when I use the number keys, pretty weird.
So sorry for the inconvenience.

@evilsocket
Copy link
Owner

can you send the document that generates the issue? I can try to workaround it anyway

@bleh92
Copy link
Author

bleh92 commented Nov 20, 2023

If you are looking for the password list then here it is. This one has a tab space after the last password.
passwords.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants