Announcing the Impending SSH Apocalypse

The other day I read this article by Shaun Waterman at the Washington Times and it ticked me off a bit because of its obvious FUD (fear, uncertainty, and doubt). Mr. Waterman tells us about a flaw in SSH that will bring about data destruction of apocalyptic proportions. The flaw of impending doom? Key management. Apparently people leave SSH private keys lying around unprotected and because of this “most of the data on the servers of every company in the developed world” could get “wiped out.” I can’t blame Mr. Waterman for that gem, he is quoting Tatu Ylonen, the CEO of SSH Communications Security Corp.

I’m not saying SSH key management is not a problem. As a pentester, I look for unprotected SSH keys to dig my way deeper into a client’s network. What I am saying is Mr Waterman and Mr. Ylonen are blowing this thing way out of proportion for no other reason than to sell SSH key management software, which SSH Communications Security Corp just happens to sell.

My favorite part of the article was this quote:

Mr. Ylonen said a computer programmer could create a virus that would exploit SSH’s weaknesses and spread throughout servers to steal, distort or destroy confidential data.
“It would take days, perhaps only hours,” to write such a virus, he said.

So as not to disappoint Mr. Waterman and Mr. Ylonen, I decided to create an SSH super virus. It’s actually a Python script, which you can get here, and Mr. Ylonen was right, it only took me a few hours.

To use the script, follow the instructions below:

  1. Create a directory and place all the private keys you want to test and in the directory.
  2. Create a file called ‘hosts’ in the same directory and add each host you want to test to the file, one per line.
  3. Create a file called ‘users’ in the same directory and add each user you want to test to the file, one per line. will attempt to login to each host with each user/key combination. If a login is successful, will download all of the private keys in the users .ssh directory and test those against each user/host combination. You can also edit the script to add a list of evil_commands that will be run on successful login.

As always, use the script only for legal purposes and let me know if there are any problems with the script.

4 responses to “Announcing the Impending SSH Apocalypse

  1. Nice. One could also download known_hosts file from users’ directory and use it to improve hosts and users files for more fun.

  2. In addition to known_hosts, ~/.bash_history is worth a grep for full previously-used ssh commands. This can glean key locations (relying on only the home dir can bear little fruit ITRW) + user@host info.

  3. Pingback: SSH Pwnage | AverageSecurityGuy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s