Re: Automated SSH login attempts?

[Jan Muenther <jan.muenther () nruns com>]

Hi there,

> Agreed. The thing *is* publicly available, just do 'wget
> frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
> far is not availability, but lacking knowledge about the ssh protocol on
> my side ;-)

Hm, actually, there's fairly little of that required to see what this beast 
does...  
Guys, I can't help but sing the praise of IDA Pro. Get it, it's worth the 
money. 

> The tool itself dos not need root rights. What needs to be root is the
> portscanner accompanying it.

Yeah, found that too. That, however, is not surprising. It's a SYN-Scanner,
using a detached scanning method, built on libnet (eh, too lazy for raw sockets,
are we) and libpcap, and its statically linked against it. Both binaries
were not stripped by the way :>

You'll need root rights for constructing packets with libnet and root rights
to set the interface into promiscuous mode for the pcap captures. 

> hehe. According to a brief look at the strace of this thingy, it does
> not do anything suspicious on the local box. But maybe I should have a
> second look - who knows? 

Mkay, it really appears to be just an SSH scanner / bruteforcer, which next 
to the hardcoded username / password combinations also tries the identity / 
public key files of the current user to access other boxes. 

Some stuff from the disassembly (label names are mine, function names are from
the binary, as I said, not stripped). 

So, it first tries to open uniq.txt for its input, nothing new, and bails out
if it can't:

.text:080482E3                 push    offset aR       ; "r"
.text:080482E8                 push    offset aUniq_txt ; "uniq.txt"
.text:080482ED                 call    fopen
.text:080482F2                 add     esp, 10h
.text:080482F5                 mov     [ebp+var_C], eax
.text:080482F8                 cmp     [ebp+var_C], 0
.text:080482FC                 jnz     short loc_8048314
.text:080482FE                 sub     esp, 0Ch
.text:08048301                 push    offset aNuPotDeschideU ; "nu pot deschide
 uniq.txt\n"
.text:08048306                 call    printf

Is this romanian? Seen it a lot recently...

.text:0804835B do_it:                                  ; CODE XREF: main+86^Xj
.text:0804835B                 call    fork
.text:08048360                 test    eax, eax
.text:08048362                 jnz     short loc_80483A6
.text:08048364                 sub     esp, 4
.text:08048367                 lea     eax, [ebp+var_418]
.text:0804836D                 push    eax
.text:0804836E                 push    offset aTest    ; "test"
.text:08048373                 push    offset aTest    ; "test"
.text:08048378                 call    ccheckauth
.text:0804837D                 add     esp, 10h
.text:08048380                 sub     esp, 4
.text:08048383                 lea     eax, [ebp+var_418]
.text:08048389                 push    eax
.text:0804838A                 push    offset aGuest   ; "guest"
.text:0804838F                 push    offset aGuest   ; "guest"
.text:08048394                 call    ccheckauth
.text:08048399                 add     esp, 10h
.text:0804839C                 sub     esp, 0Ch
.text:0804839F                 push    0
.text:080483A1                 call    exit

Mkay, so, it forks and calls a function called ccheckauth(), giving test and
guest as parameters for the username and password variables of that function. 
Once that's done, it exits. 


So, here's that function:

text:080481E8                 public ccheckauth
.text:080481E8 ccheckauth      proc near               ; CODE XREF: main+AB^Yp
.text:080481E8                                         ; main+C7^Yp
.text:080481E8
.text:080481E8 var_14          = dword ptr -14h
.text:080481E8 var_10          = dword ptr -10h
.text:080481E8 var_C           = dword ptr -0Ch
.text:080481E8 var_8           = dword ptr -8
.text:080481E8 var_4           = dword ptr -4
.text:080481E8 arg_0           = dword ptr  8
.text:080481E8 arg_4           = dword ptr  0Ch
.text:080481E8 arg_8           = dword ptr  10h
.text:080481E8
.text:080481E8                 push    ebp
.text:080481E9                 mov     ebp, esp
.text:080481EB                 sub     esp, 18h
.text:080481EE                 mov     [ebp+var_C], 1
.text:080481F5                 mov     [ebp+var_10], offset aNone ; "none"
.text:080481FC                 sub     esp, 0Ch
.text:080481FF                 push    0Fh
.text:08048201                 call    alarm
.text:08048206                 add     esp, 10h
.text:08048209                 sub     esp, 8
.text:08048206                 add     esp, 10h
.text:08048209                 sub     esp, 8
.text:0804820C                 lea     eax, [ebp+var_10]
.text:0804820F                 push    eax
.text:08048210                 lea     eax, [ebp+var_C]
.text:08048213                 push    eax
.text:08048214                 call    ssh_getopt
.text:08048219                 add     esp, 10h
.text:0804821C                 mov     [ebp+var_8], eax
.text:0804821F                 sub     esp, 8
.text:08048222                 push    [ebp+arg_0]
.text:08048225                 push    [ebp+var_8]
.text:08048228                 call    options_set_username
.text:0804822D                 add     esp, 10h
.text:08048230                 sub     esp, 8
.text:08048233                 push    [ebp+arg_8]
.text:08048236                 push    [ebp+var_8]
.text:08048239                 call    options_set_host
.text:0804823E                 add     esp, 10h
.text:08048241                 sub     esp, 0Ch
.text:08048244                 push    [ebp+var_8]
.text:08048247                 call    ssh_connect
.text:0804824C                 add     esp, 10h
.text:0804824F                 mov     [ebp+var_4], eax
.text:0804824C                 add     esp, 10h
.text:0804824F                 mov     [ebp+var_4], eax
.text:08048252                 cmp     [ebp+var_4], 0
.text:08048256                 jnz     short loc_804825A
.text:08048258                 jmp     short locret_80482CB
.text:0804825A ; ---------------------------------------------------------------
------------

It basically calls a bunch of other functions which do the entire session 
setup stuff for the SSH connection attempts. These functions do exactly what 
their names imply, so I save the disassemblies here for brevity's sake. 

So, there's nothing spectacular here, it's a SSH bruteforcer. One thing though,
it also uses key auth (determines the current user's home dir and looks for
publickey and id files):

.text:08048B90 trykey:                                 ; CODE XREF: ssh_userauth
_autopubkey+F6^Yj
.text:08048B90                 sub     esp, 8
.text:08048B93                 lea     eax, [ebp+var_10]
.text:08048B96                 push    eax
.text:08048B97                 lea     eax, [ebp+var_14]
.text:08048B9A                 push    eax
.text:08048B9B                 lea     eax, [ebp+var_18]
.text:08048B9E                 push    eax
.text:08048B9F                 push    offset keys_path
.text:08048BA4                 push    offset pub_keys_path
.text:08048BA9                 push    edi
.text:08048BAA                 call    publickey_from_next_file
.text:08048BAF                 add     esp, 20h
.text:08048BB2                 test    eax, eax
.text:08048BAF                 add     esp, 20h
.text:08048BB2                 test    eax, eax
.text:08048BB4                 mov     ebx, eax
.text:08048BB6                 jz      nokeymatch
.text:08048BBC                 push    ebx
.text:08048BBD                 mov     eax, [ebp+var_14]
.text:08048BC0                 push    eax
.text:08048BC1                 push    0
.text:08048BC3                 push    edi
.text:08048BC4                 call    ssh_userauth_offer_pubkey
.text:08048BC9                 add     esp, 10h
.text:08048BCC                 cmp     eax, 0FFFFFFFFh
.text:08048BCF                 jz      cleanupkey
.text:08048BD5                 test    eax, eax
.text:08048BD7                 jnz     pubrefused
.text:08048BDD                 push    0
.text:08048BDF                 mov     eax, [ebp+var_14]
.text:08048BE2                 push    eax
.text:08048BE3                 mov     eax, [ebp+var_18]
.text:08048BE6                 push    eax
.text:08048BE7                 push    edi
.text:08048BE8                 call    privatekey_from_file
.text:08048BED                 add     esp, 10h
.text:08048BF0                 test    eax, eax
.text:08048BED                 add     esp, 10h
.text:08048BF0                 test    eax, eax
.text:08048BF2                 mov     esi, eax
.text:08048BF4                 jz      readprivfail
.text:08048BFA                 push    eax
.text:08048BFB                 push    ebx
.text:08048BFC                 push    0
.text:08048BFE                 push    edi
.text:08048BFF                 call    ssh_userauth_pubkey
.text:08048C04                 add     esp, 10h
.text:08048C07                 cmp     eax, 0FFFFFFFFh
.text:08048C0A                 jz      loc_8048CAA
.text:08048C10                 test    eax, eax
.text:08048C12                 jz      short auth_success
.text:08048C14                 sub     esp, 8
.text:08048C17                 push    offset aWeirdServerAcc ; "Weird : server
accepted our public key "...
.text:08048C1C                 push    0
.text:08048C1E                 call    ssh_say
.text:08048C23                 mov     [esp+38h+var_38], ebx
.text:08048C26                 call    free
.text:08048C2B                 mov     [esp+38h+var_38], esi
.text:08048C2E                 call    private_key_free

So, yeah, it's a bruteforcer, nothing magic here. 

> Right. And somebody volunteered for this job right now, did you? ;-)

Eh. Limited time, new girlfriend is here and it's weekend :-/
So forgive the incompleteness of this :>
Maybe more on monday. FWIW, if there are other versions out, they might be
more interesting than this tool. 

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html