Implement a reverse SSH shell using nothing but the on-target SSH
client and a fifo in the same manner as used by netcat payloads.
This is not forensically sound as the fifo will be caught by HIDS,
filesystem snapshots, and other defensive measures. However, it
does provide a way out from almost any modern POSIX system as they
nearly all have an SSH client in one form or another.
Convert existing Ruby reverse SSH payloads to use dynamic cached
payload sizing.
Implement a command-only session type over the HrrRbSsh client
Connection Channels' file descriptors, adjust from base command
session to deal with the separate reader/writer IOs. Technically,
a TTY session works out of the box here as well.
Implement a pair of showcase Ruby payloads using net/ssh to call
back to the handler, create a shell channel, and loop piping I/O
between framework session and client via the Ruby backtick exec.
Next Steps:
Command payloads need to be written for every major interpreted
language as well as some sort of bashism a la openssl_double if
it comes to that, but preferably single socket implementation.
Testing:
Very minimal, needs a good run through by the community and R7
Create the Rex::Proto::Ssh namespace and implement hrr_rb_ssh
objects in the Rex namespace with Rex' sockets stack, permissive
default connection options to accept any authentication, ACLs for
port forwarding, and a modified Connection #initialize method for
simplified instantiation.
The actual Rex::Proto::Ssh::Server object follow standard Rex
semantics for services to permit use in handlers, exploits, and
auxiliary modules in the same manner as the Http::Server is used
today.
This work is far from complete - the HrrRbSsh low-level objects
should be decomposed into Rex' pattern as they currently depend
heavily on their own Procs and Threads internally which use the
parent Connection object's attributes to look up which Proc should
be called in response to a Channel or Authentication request. This
is a bit difficult to do piecemeal given the intertwined data and
execution dependency inside of HrrRbSsh.
Next steps:
1. Create handler and reverse_ssh command session payloads
1a. POSIX systems generally have SSH already
1b. Windows Powershell is likely able to hotload SSH libs as a
pre-stager.
1c. Other interpreted runtimes usually have client-ssh libraries
2. Implement options parsing, handling, etc for user-customizable
functionality from the Msf namespace.
3. Use libssh2 to permit mettle use of the SSH transport.
3a. Bother @OJ about doing the same for Windows Meterpreter.
3b. Bother @zeroSteiner to implement SSH transport for PyMeterp.
3c. Ask @timwr and @mihi how viable this is for Android/Java.
3d. See if @OJ will do this for CLR-meterp on a livestream.
4. Write a post module which runs this SSH server from a mettle
session using the compromised hosts's own host keys and passwd
file for "valid" authentication while logging and MITMing the
entire command stream remotely - help folks shake off some of the
complacency around "secure shells."
5. Write a plugin which will permit sharing of the entire console
context, specific acquired sessions, or TCP forwards with the
pugin's SSH clients based on the credentials used to connect.
6. Further decompose the server code into Rex to permit writing
client fuzzers, loggers, and other tooling to test the posture of
SSH client implementations.
7. Work to implement SSH client functionality in HrrRbSsh and
convert the rest of Rex/Msf to use this library instead only.
8. Rewrite and import MetaSsh into Metasploit proper using the
new Rex::Proto::Ssh code.
-----
Huge thanks to @hirura for writing HrrRbSsh. I've spent countless
hours on and off working to implement server-side semantics in
net/ssh years ago and it was becoming a pretty full rewrite due
to the ordering of server/client req/resp messages and who sent
what to whom. This library is a much much cleaner implementation
and provides full, modern SSH servers in pure Ruby.
The reverse_http/s listeners result in awful errors when
multi/meterpreter is set as the payload. Anyone that hits the endpoint
with an invalid or missing UUID will spam the MSF console with
exceptions.
This patch avoids this issue in cases where the UUID isn't specific. We
avoid setting it as a default, which doesn't make sense anyway.
While this method here is somewhat noisy on the network it eliminates
a poor user experience when the handler is started but the payload is
not yet running on the target.
When a target is sent a udp packet and it is not rejected push down
an initial "echo syn" command that will respond with output. This
allows framework to be aware that the payload is what is running on
the server port instead of assuming a non-existent target is a valid
session.
This is a repackaging effort for the work i originally pushed in
6035. This segment of the PR provides UDP session handlers for
bind and reverse sessions, a Windows Metasm stager (really the
TCP stager with a small change), and a pair of socat payloads for
testing simple UDP shells. Netcat or any scripting language with
a sockets library is sufficient to use these sessions as they are
stateless and simple.
Testing of this PR requires rex/core #1 and rex/socket #2
The SSL testing which was being done on 6035 is backed out, left
for a later time when we can do DTLS properly.
All meterpreter Clients are created equal, and as such they all
include the PacketDispatcher mixin and call its init methods when
a passive dispatcher is needed. However, since tunneling protocols
have different requirements for implementation, the methods which
provide protocol-specific functionality need to be mixed into the
Client before it attempts to initialize the dispatcher.
Provide a dispatch_ext option in the has passed to the client on
init from the session handler which is an Array containing mixin
references which are sent to :extend calls in the :init_meterpreter
method just prior to calling :initialize_passive_dispatcher.
Each handler implementation can thus push chains of mixins to the
client in order to provide middleware specific to the tunnel. Down
the road, this should permit stacking C2 encapsulations or tunnel
protocols/permutators to create unique session transports on the
fly.
bwatters-r7