-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Libssh2 + ssh-brute support #910
Conversation
Can you please clean this up by removing the build directories ( |
Removed a lot of files. We are down from 711 to 382 added/changed files. From libssh2, the directories docs, examples, test were removed. The .gitignore file was also updated to include the Debug_lib and Release_lib directories. I cannot remove the contrib directory of libz since the visual studio files are contained in that directory. I haven't removed the test directory from libz. The compilation was failing without it. More changes will need to be performed to the library in order to exclude that directory. |
Some findings from the check script:
The one about "username" is causing a script crash when I try ssh-publickey-acceptance against localhost with a single username and single public key file. More comments coming soon. |
nse_utility.h
Outdated
@@ -8,9 +8,9 @@ class Target; | |||
#include "nmap_config.h" | |||
#endif | |||
|
|||
#if HAVE_STDINT_H | |||
//#if HAVE_STDINT_H |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't change this; instead add this to nmap_winconfig.h
:
diff --git a/nmap_winconfig.h b/nmap_winconfig.h
index bb59dfa..912d790 100644
--- a/nmap_winconfig.h
+++ b/nmap_winconfig.h
@@ -144,6 +144,8 @@
#define HAVE_OPENSSL 1
#define HAVE_SSL_SET_TLSEXT_HOST_NAME 1
+/* Since MSVC 2010, stdint.h is included as part of C99 compatibility */
+#define HAVE_STDINT_H 1
#define LUA_INCLUDED 1
#undef PCAP_INCLUDED
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't seem to compile in windows when adding the HAVE_STDINT_H flag in nmap_winconfig.h
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, we need to include nmap_winconfig.h here.
#ifdef HAVE_CONFIG_H
#include "nmap_config.h"
#else
#ifdef WIN32
#include "nmap_winconfig.h"
#endif /* WIN32 */
#endif /* HAVE_CONFIG_H */
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, we need to include nmap_winconfig.h here.
#ifdef HAVE_CONFIG_H
#include "nmap_config.h"
#else
#ifdef WIN32
#include "nmap_winconfig.h"
#endif /* WIN32 */
#endif /* HAVE_CONFIG_H */
Can we add library version output for libssh2 and zlib just like we do for openssl, libpcre, etc.? See display_nmap_version in nmap.cc. This will make it easier to check whether different configure options are being respected. |
Compiler warning (LLDB on OS X):
EDIT: This is caused because clang doesn't know that luaL_error is not a returning function. You can avoid it by using |
Breaks on OS X due to libssh2's configure script ignoring the diff --git a/configure.ac b/configure.ac
index 5ba1a04..47e98f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -355,6 +355,7 @@ AC_HELP_STRING([--with-openssl=DIR],[Use optional openssl libs and includes from
;;
*)
specialssldir="$with_openssl"
+ ac_configure_args="$ac_configure_args '--with-libssl-prefix=$with_openssl'"
CPPFLAGS="$CPPFLAGS -I$with_openssl/include"
LDFLAGS="$LDFLAGS -L$with_openssl/lib"
;; and of course run autoconf to regenerate Of note, this is probably the right solution for nmap/ncrack#1, not making modifications to opensshlib as was done to close that issue. |
Fixed the check script warnings. |
nse_libssh2.cc
Outdated
struct ssh_userdata *sshu = NULL; | ||
|
||
sshu = (struct ssh_userdata *) nseU_checkudata(L, 1, SSH2_UDATA, "ssh2"); | ||
if (sshu) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This condition should also cover the closing of the sockets below, otherwise if sshu
is NULL
then it's a null pointer dereference. This line could be written as if (!sshu) { return 0; }
to avoid indenting the rest of the function, or even return luaL_error(L, "some error");
, though I am not sure what the exact sequence of events would have to be in order for it to be NULL
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -0,0 +1,120 @@ | |||
-- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be ---
(3 hyphens) in order for this block to be parsed as NSEdoc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
nselib/libssh2.luadoc
Outdated
-- | ||
-- @author Devin Bjelland | ||
-- @author Sergey Khegay | ||
-- @copyright same as Nmap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use the exact "Same as Nmap--See https://nmap.org/book/man-legal.html" string here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
nselib/libssh2-utility.lua
Outdated
while not libssh2.channel_eof(channel) do | ||
data = libssh2.channel_read(self.session, channel) | ||
if data then | ||
buff = buff .. data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concatenation within a loop is potentially dangerous (CPU sink due to repeated memory allocation and copy). Make buff
a table and append to it, then return the concatenation of the table.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
nselib/libssh2-utility.lua
Outdated
-- @return true on success or false on failure. | ||
function SSHConnection:publickey_auth(username, privatekey_file, passphrase) | ||
if not passphrase then | ||
local passphrase = "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This local
variable goes out of scope in the very next line. Probably this block doesn't need to be here. libssh2.userauth_publickey
should understand a nil
passphrase to mean no passphrase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
nselib/libssh2-utility.lua
Outdated
end | ||
|
||
|
||
function SSHConnection:list(username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need NSEdoc for the rest of these functions and complete NSEdoc for a few of the others.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
nselib/libssh2-utility.lua
Outdated
-- @param username A username to authenticate as. | ||
-- @param password A password to authenticate as. | ||
-- @return true on success or false on failure. | ||
function SSHConnection:password_auth(username, password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After this is committed, it will be important to add keyboard_interactive auth also.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want this to be added in the nse_libssh2.cc and the libssh2-utility.lua as a function or as a part of the ssh scripts as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't worry about it until this PR is merged first. But the goal would be for ssh-brute
to use either one transparently, since many users don't/can't perceive a difference. Logic would look something like:
- If password auth is supported, do that.
- If not, but keyboard-interactive auth is supported, try to see if it's a password prompt.
- If it's a password prompt, continue brute forcing over keyboard-interactive.
Keyboard-interactive can be other things, though, so maybe we'll have to add different script-args to enable other kinds of prompts, but the most common is a simple PAM password prompt. I'd guess (though haven't researched that part of the protocol) that the API would be something like handing the script a socket connected to the other end, and let the script do prompt detection (like telnet-brute does) and actual authentication.
Another fun thing might be a script to grab the "banner" of keyboard-interactive auth (OpenSSH's sshd_config uses the Banner
directive for this).
That's all the comments I have. It would be nice to have trailing whitespace cleaned up and check for proper indentation: https://secwiki.org/w/Nmap/Code_Standards |
Made most of the changes. |
I'm satisfied with this. If your mentor agrees, please merge and commit to SVN. |
This pull request is a collaborative effort of Devin Bjelland, Sergey Khegay and me. This request introduces the ssh-brute script and various other ssh scripts.
More specifically this pull request includes the following scripts:
ssh-brute
ssh-run
ssh-auth-methods
ssh-publickey-acceptance
The following libraries have been included:
libssh2 1.8.0
zlib 1.2.8