Merge branch 'master' of github.com:rapid7/metasploit-framework

2012-01-07 15:14:30 -06:00 · 2012-01-07 15:14:30 -06:00 · 181fe2d925
parent 4e858aba89 b12baccc49
commit 181fe2d925
1 changed files with 16 additions and 1 deletions
--- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
@ -55,6 +55,7 @@ class Metasploit3 < Msf::Auxiliary
 		register_advanced_options(
 			[
 				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+				OptBool.new('SSH_BYPASS', [ false, 'Verify that authentication was not bypassed when keys are found', false]),
 				OptString.new('SSH_KEYFILE_B64', [false, 'Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.', '']),
 				OptPath.new('KEY_DIR', [false, 'Directory of several keys. Filenames must not begin with a dot in order to be read.'])
 			]
@ -210,7 +211,21 @@ class Metasploit3 < Msf::Auxiliary
 			
 			begin
 				ssh_socket = Net::SSH.start(ip, user, opt_hash)
-				ssh_socket.close rescue nil
+				
+				if datastore['SSH_BYPASS']
+					data = nil
+					
+					print_status("#{ip}:#{rport} - SSH - User #{user} is being tested for authentication bypass...")
+					
+					begin
+						::Timeout.timeout(5) { data = ssh_socket.exec!("help\nid\nuname -a").to_s }
+					rescue ::Exception
+					end
+					
+					print_good("#{ip}:#{rport} - SSH - User #{user} successfully bypassed authentication: #{data.inspect} ") if data
+				end
+				
+				::Timeout.timeout(1) { ssh_socket.close } rescue nil
 				
 			rescue Rex::ConnectionError, Rex::AddressInUse
 				return :connection_error