SSH Pwnage

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

After telling you about the impending SSH Apocalypse and releasing the SSH super virus, I received a number of good suggestions on improving my ssh_super_virus.py script. I didn't want to modify ssh_super_virus.py though because I want to keep it for posterity's sake. Instead I rewrote ssh_super_virus.py and included the suggested changes.

So, I give you ssh_pwn.py. This script will read the 'users' file and the SSH keys in the current directory and use them to authenticate to the list of hosts in the 'hosts' file, also in the current directory. If authentication is successful, the script will attempt to download additional SSH keys, the .bash_history file for the user, and SSL private keys. In addition, the script can be configured to automatically add new users , from /etc/passwd, and new hosts, from .ssh/known_hosts, to the list of users and hosts to test. Finally, you can give ssh_pwn.py your own list of post exploitation commands, which it will attempt to run and will save the output in the 'postexploit' file in the current directory.

You can get ssh_pwn.py from my pentest scripts repository at github.com. Enjoy, and as always let me know if there are any problems or if you have any suggested changes.