| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040731183639.GA499@localghost.muenther.de> From: jan.muenther at nruns.com (Jan Muenther) Subject: Automated SSH login attempts? Hi there, > Agreed. The thing *is* publicly available, just do 'wget > frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so > far is not availability, but lacking knowledge about the ssh protocol on > my side ;-) Hm, actually, there's fairly little of that required to see what this beast does... Guys, I can't help but sing the praise of IDA Pro. Get it, it's worth the money. > The tool itself dos not need root rights. What needs to be root is the > portscanner accompanying it. Yeah, found that too. That, however, is not surprising. It's a SYN-Scanner, using a detached scanning method, built on libnet (eh, too lazy for raw sockets, are we) and libpcap, and its statically linked against it. Both binaries were not stripped by the way :> You'll need root rights for constructing packets with libnet and root rights to set the interface into promiscuous mode for the pcap captures. > > hehe. According to a brief look at the strace of this thingy, it does > not do anything suspicious on the local box. But maybe I should have a > second look - who knows? Mkay, it really appears to be just an SSH scanner / bruteforcer, which next to the hardcoded username / password combinations also tries the identity / public key files of the current user to access other boxes. Some stuff from the disassembly (label names are mine, function names are from the binary, as I said, not stripped). So, it first tries to open uniq.txt for its input, nothing new, and bails out if it can't: .text:080482E3 push offset aR ; "r" .text:080482E8 push offset aUniq_txt ; "uniq.txt" .text:080482ED call fopen .text:080482F2 add esp, 10h .text:080482F5 mov [ebp+var_C], eax .text:080482F8 cmp [ebp+var_C], 0 .text:080482FC jnz short loc_8048314 .text:080482FE sub esp, 0Ch .text:08048301 push offset aNuPotDeschideU ; "nu pot deschide uniq.txt\n" .text:08048306 call printf Is this romanian? Seen it a lot recently... .text:0804835B do_it: ; CODE XREF: main+86^Xj .text:0804835B call fork .text:08048360 test eax, eax .text:08048362 jnz short loc_80483A6 .text:08048364 sub esp, 4 .text:08048367 lea eax, [ebp+var_418] .text:0804836D push eax .text:0804836E push offset aTest ; "test" .text:08048373 push offset aTest ; "test" .text:08048378 call ccheckauth .text:0804837D add esp, 10h .text:08048380 sub esp, 4 .text:08048383 lea eax, [ebp+var_418] .text:08048389 push eax .text:0804838A push offset aGuest ; "guest" .text:0804838F push offset aGuest ; "guest" .text:08048394 call ccheckauth .text:08048399 add esp, 10h .text:0804839C sub esp, 0Ch .text:0804839F push 0 .text:080483A1 call exit Mkay, so, it forks and calls a function called ccheckauth(), giving test and guest as parameters for the username and password variables of that function. Once that's done, it exits. So, here's that function: text:080481E8 public ccheckauth .text:080481E8 ccheckauth proc near ; CODE XREF: main+AB^Yp .text:080481E8 ; main+C7^Yp .text:080481E8 .text:080481E8 var_14 = dword ptr -14h .text:080481E8 var_10 = dword ptr -10h .text:080481E8 var_C = dword ptr -0Ch .text:080481E8 var_8 = dword ptr -8 .text:080481E8 var_4 = dword ptr -4 .text:080481E8 arg_0 = dword ptr 8 .text:080481E8 arg_4 = dword ptr 0Ch .text:080481E8 arg_8 = dword ptr 10h .text:080481E8 .text:080481E8 push ebp .text:080481E9 mov ebp, esp .text:080481EB sub esp, 18h .text:080481EE mov [ebp+var_C], 1 .text:080481F5 mov [ebp+var_10], offset aNone ; "none" .text:080481FC sub esp, 0Ch .text:080481FF push 0Fh .text:08048201 call alarm .text:08048206 add esp, 10h .text:08048209 sub esp, 8 .text:08048206 add esp, 10h .text:08048209 sub esp, 8 .text:0804820C lea eax, [ebp+var_10] .text:0804820F push eax .text:08048210 lea eax, [ebp+var_C] .text:08048213 push eax .text:08048214 call ssh_getopt .text:08048219 add esp, 10h .text:0804821C mov [ebp+var_8], eax .text:0804821F sub esp, 8 .text:08048222 push [ebp+arg_0] .text:08048225 push [ebp+var_8] .text:08048228 call options_set_username .text:0804822D add esp, 10h .text:08048230 sub esp, 8 .text:08048233 push [ebp+arg_8] .text:08048236 push [ebp+var_8] .text:08048239 call options_set_host .text:0804823E add esp, 10h .text:08048241 sub esp, 0Ch .text:08048244 push [ebp+var_8] .text:08048247 call ssh_connect .text:0804824C add esp, 10h .text:0804824F mov [ebp+var_4], eax .text:0804824C add esp, 10h .text:0804824F mov [ebp+var_4], eax .text:08048252 cmp [ebp+var_4], 0 .text:08048256 jnz short loc_804825A .text:08048258 jmp short locret_80482CB .text:0804825A ; --------------------------------------------------------------- ------------ It basically calls a bunch of other functions which do the entire session setup stuff for the SSH connection attempts. These functions do exactly what their names imply, so I save the disassemblies here for brevity's sake. So, there's nothing spectacular here, it's a SSH bruteforcer. One thing though, it also uses key auth (determines the current user's home dir and looks for publickey and id files): .text:08048B90 trykey: ; CODE XREF: ssh_userauth _autopubkey+F6^Yj .text:08048B90 sub esp, 8 .text:08048B93 lea eax, [ebp+var_10] .text:08048B96 push eax .text:08048B97 lea eax, [ebp+var_14] .text:08048B9A push eax .text:08048B9B lea eax, [ebp+var_18] .text:08048B9E push eax .text:08048B9F push offset keys_path .text:08048BA4 push offset pub_keys_path .text:08048BA9 push edi .text:08048BAA call publickey_from_next_file .text:08048BAF add esp, 20h .text:08048BB2 test eax, eax .text:08048BAF add esp, 20h .text:08048BB2 test eax, eax .text:08048BB4 mov ebx, eax .text:08048BB6 jz nokeymatch .text:08048BBC push ebx .text:08048BBD mov eax, [ebp+var_14] .text:08048BC0 push eax .text:08048BC1 push 0 .text:08048BC3 push edi .text:08048BC4 call ssh_userauth_offer_pubkey .text:08048BC9 add esp, 10h .text:08048BCC cmp eax, 0FFFFFFFFh .text:08048BCF jz cleanupkey .text:08048BD5 test eax, eax .text:08048BD7 jnz pubrefused .text:08048BDD push 0 .text:08048BDF mov eax, [ebp+var_14] .text:08048BE2 push eax .text:08048BE3 mov eax, [ebp+var_18] .text:08048BE6 push eax .text:08048BE7 push edi .text:08048BE8 call privatekey_from_file .text:08048BED add esp, 10h .text:08048BF0 test eax, eax .text:08048BED add esp, 10h .text:08048BF0 test eax, eax .text:08048BF2 mov esi, eax .text:08048BF4 jz readprivfail .text:08048BFA push eax .text:08048BFB push ebx .text:08048BFC push 0 .text:08048BFE push edi .text:08048BFF call ssh_userauth_pubkey .text:08048C04 add esp, 10h .text:08048C07 cmp eax, 0FFFFFFFFh .text:08048C0A jz loc_8048CAA .text:08048C10 test eax, eax .text:08048C12 jz short auth_success .text:08048C14 sub esp, 8 .text:08048C17 push offset aWeirdServerAcc ; "Weird : server accepted our public key "... .text:08048C1C push 0 .text:08048C1E call ssh_say .text:08048C23 mov [esp+38h+var_38], ebx .text:08048C26 call free .text:08048C2B mov [esp+38h+var_38], esi .text:08048C2E call private_key_free So, yeah, it's a bruteforcer, nothing magic here. > Right. And somebody volunteered for this job right now, did you? ;-) Eh. Limited time, new girlfriend is here and it's weekend :-/ So forgive the incompleteness of this :> Maybe more on monday. FWIW, if there are other versions out, they might be more interesting than this tool. Cheers, J.
Powered by blists - more mailing lists