SSH Public Key Login Scanner
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Note that password-protected key files will not function with this module -- it is designed specifically for unencrypted (passwordless) keys. Key files may be a single private (unencrypted) key, or several private keys concatenated together as an ASCII text file. Non-key data should be silently ignored.
Rank
- Normal
Authors
- todb < todb [at] metasploit.com >
Development
Similar Modules
- auxiliary/scanner/ssh/ssh_identify_pubkeys
- auxiliary/scanner/ssh/ssh_login
- auxiliary/scanner/ssh/ssh_version
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(ssh_login_pubkey) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(ssh_login_pubkey) > run
Module Options
| BRUTEFORCE_SPEED | How fast to bruteforce, from 0 to 5 (default: 5) |
| KEY_FILE | Filename of one or several cleartext private keys. |
| RHOSTS | The target address range or CIDR identifier |
| RPORT | The target port (default: 22) |
| STOP_ON_SUCCESS | Stop guessing when a credential works for a host |
| THREADS | The number of concurrent threads (default: 1) |
| USERNAME | A specific username to authenticate as |
| USERPASS_FILE | File containing users and passwords separated by space, one pair per line |
| USER_FILE | File containing usernames, one per line |
| VERBOSE | Whether to print output for all attempts (default: true) |
| AutoRunScript | A script to run automatically on session creation. |
| InitialAutoRunScript | An initial script to run on session creation (before AutoRunScript) |
| KEY_DIR | Directory of several cleartext private keys. Filenames must not begin with a dot, or end in ".pub" in order to be read. |
| MaxGuessesPerService | Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used. |
| MaxGuessesPerUser | Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used. |
| MaxMinutesPerService | Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used. |
| REMOVE_PASS_FILE | Automatically delete the PASS_FILE on module completion |
| REMOVE_USERPASS_FILE | Automatically delete the USERPASS_FILE on module completion |
| REMOVE_USER_FILE | Automatically delete the USER_FILE on module completion |
| SSH_DEBUG | Enable SSH debugging output (Extreme verbosity!) |
| SSH_KEYFILE_B64 | Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only. |
| ShowProgress | Display progress messages during a scan |
| ShowProgressPercent | The interval in percent that progress should be shown |
| WORKSPACE | Specify the workspace for this module |