Libssh2 + ssh-brute support #910
Conversation
|
Can you please clean this up by removing the build directories ( |
|
Removed a lot of files. We are down from 711 to 382 added/changed files. From libssh2, the directories docs, examples, test were removed. The .gitignore file was also updated to include the Debug_lib and Release_lib directories. I cannot remove the contrib directory of libz since the visual studio files are contained in that directory. I haven't removed the test directory from libz. The compilation was failing without it. More changes will need to be performed to the library in order to exclude that directory. |
|
Some findings from the check script: The one about "username" is causing a script crash when I try ssh-publickey-acceptance against localhost with a single username and single public key file. More comments coming soon. |
nse_utility.h
Outdated
| @@ -8,9 +8,9 @@ class Target; | |||
| #include "nmap_config.h" | |||
| #endif | |||
|
|
|||
| #if HAVE_STDINT_H | |||
| //#if HAVE_STDINT_H | |||
There was a problem hiding this comment.
Don't change this; instead add this to nmap_winconfig.h:
diff --git a/nmap_winconfig.h b/nmap_winconfig.h
index bb59dfa..912d790 100644
--- a/nmap_winconfig.h
+++ b/nmap_winconfig.h
@@ -144,6 +144,8 @@
#define HAVE_OPENSSL 1
#define HAVE_SSL_SET_TLSEXT_HOST_NAME 1
+/* Since MSVC 2010, stdint.h is included as part of C99 compatibility */
+#define HAVE_STDINT_H 1
#define LUA_INCLUDED 1
#undef PCAP_INCLUDEDThere was a problem hiding this comment.
It doesn't seem to compile in windows when adding the HAVE_STDINT_H flag in nmap_winconfig.h
There was a problem hiding this comment.
Ah, we need to include nmap_winconfig.h here.
#ifdef HAVE_CONFIG_H
#include "nmap_config.h"
#else
#ifdef WIN32
#include "nmap_winconfig.h"
#endif /* WIN32 */
#endif /* HAVE_CONFIG_H */There was a problem hiding this comment.
Ah, we need to include nmap_winconfig.h here.
#ifdef HAVE_CONFIG_H
#include "nmap_config.h"
#else
#ifdef WIN32
#include "nmap_winconfig.h"
#endif /* WIN32 */
#endif /* HAVE_CONFIG_H */
|
Can we add library version output for libssh2 and zlib just like we do for openssl, libpcre, etc.? See display_nmap_version in nmap.cc. This will make it easier to check whether different configure options are being respected. |
|
Compiler warning (LLDB on OS X): EDIT: This is caused because clang doesn't know that luaL_error is not a returning function. You can avoid it by using |
|
Breaks on OS X due to libssh2's configure script ignoring the diff --git a/configure.ac b/configure.ac
index 5ba1a04..47e98f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -355,6 +355,7 @@ AC_HELP_STRING([--with-openssl=DIR],[Use optional openssl libs and includes from
;;
*)
specialssldir="$with_openssl"
+ ac_configure_args="$ac_configure_args '--with-libssl-prefix=$with_openssl'"
CPPFLAGS="$CPPFLAGS -I$with_openssl/include"
LDFLAGS="$LDFLAGS -L$with_openssl/lib"
;;and of course run autoconf to regenerate Of note, this is probably the right solution for nmap/ncrack#1, not making modifications to opensshlib as was done to close that issue. |
|
Fixed the check script warnings. |
nse_libssh2.cc
Outdated
| struct ssh_userdata *sshu = NULL; | ||
|
|
||
| sshu = (struct ssh_userdata *) nseU_checkudata(L, 1, SSH2_UDATA, "ssh2"); | ||
| if (sshu) { |
There was a problem hiding this comment.
This condition should also cover the closing of the sockets below, otherwise if sshu is NULL then it's a null pointer dereference. This line could be written as if (!sshu) { return 0; } to avoid indenting the rest of the function, or even return luaL_error(L, "some error");, though I am not sure what the exact sequence of events would have to be in order for it to be NULL.
| @@ -0,0 +1,120 @@ | |||
| -- | |||
There was a problem hiding this comment.
This needs to be --- (3 hyphens) in order for this block to be parsed as NSEdoc.
nselib/libssh2.luadoc
Outdated
| -- | ||
| -- @author Devin Bjelland | ||
| -- @author Sergey Khegay | ||
| -- @copyright same as Nmap |
There was a problem hiding this comment.
Please use the exact "Same as Nmap--See https://nmap.org/book/man-legal.html" string here.
nselib/libssh2-utility.lua
Outdated
| while not libssh2.channel_eof(channel) do | ||
| data = libssh2.channel_read(self.session, channel) | ||
| if data then | ||
| buff = buff .. data |
There was a problem hiding this comment.
Concatenation within a loop is potentially dangerous (CPU sink due to repeated memory allocation and copy). Make buff a table and append to it, then return the concatenation of the table.
nselib/libssh2-utility.lua
Outdated
| -- @return true on success or false on failure. | ||
| function SSHConnection:publickey_auth(username, privatekey_file, passphrase) | ||
| if not passphrase then | ||
| local passphrase = "" |
There was a problem hiding this comment.
This local variable goes out of scope in the very next line. Probably this block doesn't need to be here. libssh2.userauth_publickey should understand a nil passphrase to mean no passphrase.
nselib/libssh2-utility.lua
Outdated
| end | ||
|
|
||
|
|
||
| function SSHConnection:list(username) |
There was a problem hiding this comment.
Need NSEdoc for the rest of these functions and complete NSEdoc for a few of the others.
nselib/libssh2-utility.lua
Outdated
| -- @param username A username to authenticate as. | ||
| -- @param password A password to authenticate as. | ||
| -- @return true on success or false on failure. | ||
| function SSHConnection:password_auth(username, password) |
There was a problem hiding this comment.
After this is committed, it will be important to add keyboard_interactive auth also.
There was a problem hiding this comment.
Do you want this to be added in the nse_libssh2.cc and the libssh2-utility.lua as a function or as a part of the ssh scripts as well?
There was a problem hiding this comment.
Don't worry about it until this PR is merged first. But the goal would be for ssh-brute to use either one transparently, since many users don't/can't perceive a difference. Logic would look something like:
- If password auth is supported, do that.
- If not, but keyboard-interactive auth is supported, try to see if it's a password prompt.
- If it's a password prompt, continue brute forcing over keyboard-interactive.
Keyboard-interactive can be other things, though, so maybe we'll have to add different script-args to enable other kinds of prompts, but the most common is a simple PAM password prompt. I'd guess (though haven't researched that part of the protocol) that the API would be something like handing the script a socket connected to the other end, and let the script do prompt detection (like telnet-brute does) and actual authentication.
Another fun thing might be a script to grab the "banner" of keyboard-interactive auth (OpenSSH's sshd_config uses the Banner directive for this).
|
That's all the comments I have. It would be nice to have trailing whitespace cleaned up and check for proper indentation: https://secwiki.org/w/Nmap/Code_Standards |
|
Made most of the changes. |
|
I'm satisfied with this. If your mentor agrees, please merge and commit to SVN. |
This pull request is a collaborative effort of Devin Bjelland, Sergey Khegay and me. This request introduces the ssh-brute script and various other ssh scripts.
More specifically this pull request includes the following scripts:
ssh-brute
ssh-run
ssh-auth-methods
ssh-publickey-acceptance
The following libraries have been included:
libssh2 1.8.0
zlib 1.2.8