The other day I read this article by Shaun Waterman at the Washington Times and it ticked me off a bit because of its obvious FUD (fear, uncertainty, and doubt). Mr. Waterman tells us about a flaw in SSH that will bring about data destruction of apocalyptic proportions. The flaw of impending doom? Key management. Apparently people leave SSH private keys lying around unprotected and because of this “most of the data on the servers of every company in the developed world” could get “wiped out.” I can’t blame Mr. Waterman for that gem, he is quoting Tatu Ylonen, the CEO of SSH Communications Security Corp.
I’m not saying SSH key management is not a problem. As a pentester, I look for unprotected SSH keys to dig my way deeper into a client’s network. What I am saying is Mr Waterman and Mr. Ylonen are blowing this thing way out of proportion for no other reason than to sell SSH key management software, which SSH Communications Security Corp just happens to sell.
My favorite part of the article was this quote:
Mr. Ylonen said a computer programmer could create a virus that would exploit SSH’s weaknesses and spread throughout servers to steal, distort or destroy confidential data.
“It would take days, perhaps only hours,” to write such a virus, he said.
So as not to disappoint Mr. Waterman and Mr. Ylonen, I decided to create an SSH super virus. It’s actually a Python script, which you can get here, and Mr. Ylonen was right, it only took me a few hours.
To use the script, follow the instructions below:
- Create a directory and place all the private keys you want to test and ssh_super_virus.py in the directory.
- Create a file called ‘hosts’ in the same directory and add each host you want to test to the file, one per line.
- Create a file called ‘users’ in the same directory and add each user you want to test to the file, one per line.
Ssh_super_virus.py will attempt to login to each host with each user/key combination. If a login is successful, ssh_super_virus.py will download all of the private keys in the users .ssh directory and test those against each user/host combination. You can also edit the script to add a list of evil_commands that will be run on successful login.
As always, use the script only for legal purposes and let me know if there are any problems with the script.