Open source software security

SSHatter 1.0

21 November 2011
SSHatter is a Perl based tool for brute force guessing SSH login credentials. Since I last wrote about SSHatter several new versions have been released. The latest version is 1.0 which has several improvements, but which still suffers from a few bugs.

Installation and Usage

To use SSHatter simply download the source from http://freshmeat.net/projects/sshatter. Once downloaded, unpack the source and run the SSHatter.pl file. More than likely you'll get an error indicating that a Perl dependency is missing. To fix this error simply install the 'perl-Net-SSH-Perl' library. On Fedora you can use 'sudo yum install perl-Net-SSH-Perl' to accomplish this. You'll also need the Perl parallel fork manager library which can be installed using 'sudo yum install perl-Parallel-ForkManager'. SSHatter has a number of different configuration options. You can explore them by simply typing: 'perl SSHatter.pl' in the same directory that SSHatter is installed. The entire download, enabling and install process should look something like this:
$ wget http://freshmeat.net/urls/4545c53ceab532b77fcfe92e075a6828
$ tar xvzf SSHatter-1.0.tar.gz
$ cd SSHatter-1.0/src
$ sudo yum install -y perl-Net-SSH-Perl perl-Parallel-ForkManager
$ perl SSHatter.pl 
usage: SSHatter.pl -x  -t  -u  <[-k ] [-p ] [-d]> [[-0] [-s] -m  | [-0] [-s] -i | -P  | -G ]

	-d - dumb mode, try username equals password, username, blank
	-0 - sudo mode, echo the password to STDIN (useful for systems where sudo -S works)
	-s - safe mode, prompt before executing
	-m - mass mode, run one command across all targets
	-i - interactive mode, run multiple commands across all targets (non-persistant)
	-P - upload a file
	-G - download a file

If sudo mode is not enabled, then SSHatter.pl will block on STDIN. at SSHatter.pl line 313.

Using SSHatter

You'll see from the default output that SSHatter accepts a file for the target servers, the usernames, and passwords to try as well as a host of other configuration options. There are a couple of tricks you can use to make SSHatter more effective. The first is that servers can be listed with alternative ports, such as including:
127.0.0.1:2222
To scan the localhost on port 2222 instead of the default SSH port (which is TCP port 22). You can also limit the process, which limits the number of forks that SSHatter will manage. This can be helpful if your scans overload the target.

Problems with SSHatter

The first issue you'll notice when using SSHatter is that you must specify the '-x' flag and an option or the program will fail. Another caveat I discovered is that if you don't run SSHatter using sudo the code will fail with the mysterious error:
$ perl SSHatter.pl -x 1 -t hosts.txt -u users.txt -p pass.txt 
I: 127.0.0.1:22
SSHatter::Exception::Host::Check::Net::SSH::Perl::Cmd at SSHatter.pl line 110,  line 1.
I: 127.0.0.1:22 finished
This is actually an issue with the Perl SSH library. If you try the following code:
#!/usr/bin/perl
# File: sshtest.pl
use Net::SSH::Perl;
$host = '127.0.0.1';
$user = 'root';
$pass = 'password';
$conn = Net::SSH::Perl->new($host);
$conn->login($user, $pass);
You'll find the error that's causing this behaviour:
$ perl sshtest.pl 
Received disconnect message: Too many authentication failures for root
 at /usr/share/perl5/vendor_perl/Net/SSH/Perl/AuthMgr.pm line 143
The disconnect error that is causing SSHatter to fail is actually connected to the use of the Perl library. If you run with elevated privileges using sudo the error doesn't appear:
$ sudo perl sshtest.pl 
[sudo] password for justin: 
Permission denied at sshtest.pl line 7
The problem is that Net-SSH retries password authentication unless you stop it explicitly. This causes the authentication to bomb out after just one username/password try. The following code fixes this issue in sshtest.pl:
#!/usr/bin/perl
use warnings;
use Net::SSH::Perl;
$host = '127.0.0.1';
$user = 'justin';
$pass = 'foo';
$conn = Net::SSH::Perl->new($host,
        options => ["PasswordAuthentication yes",
                    "PubkeyAuthenticaion no",
                    "NumberOfPasswordPrompts 1"]);
$conn->login($user, $pass);
Applying the following patch will fix this problem in SSHatter and allow you to run in a non-privileged mode:
--- SSHatter.pl	2009-12-09 20:25:47.000000000 -0500
+++ SSHatter.fixed.pl	2011-09-16 11:06:16.000000000 -0400
@@ -96,7 +96,7 @@ sub checkbypassword {
 	$username = shift;
 	$password = shift;
 	eval {
-		$sshhandle = Net::SSH::Perl->new($self->{'hostname'}, port => $self->{'portnumber'});
+		$sshhandle = Net::SSH::Perl->new($self->{'hostname'}, port => $self->{'portnumber'}, options => ["NumberOfPasswordPrompts 1", "ChallengeResponseAuthentication no"]);
 	};
 	if ($@ ne "") {
 		die "SSHatter::Exception::Host::Check::Net::SSH::Perl::New";
This will allow you to run without sudo, but you'll still find a host of other problems. The Perl Net SSH library implements a die() statement if the remote machine isn't online. This will cause SSHatter to exit unexpectedly (although only one thread will die so this shouldn't kill the program entirely).

Conclusions

Despite these issues SSHatter is still an extremely effective SSH brute forcing tool. It's a bit twitchy though so depending on usage you may simply want to look at the source code and build your own program. Because SSHatter is written in Perl it is cross platform compatible. I use SSHatter in a Linux environment, but with a Windows version of perl, such as the one from ActiveState, it should be relatively straightforward to use SSHatter in a Microsoft environment. I would make several recommendations for the future of SSHatter though. Having output in various formats (CSV, XML, etc.) would make use a little easier. Also being able to specify host ranges in the target host file would be nice although you can easily script the creation of a file with lots of hosts. Overall SSHatter is a great addition to any penetration tester's toolkit. I plan to use SSHatter on my own network to spot weak credentials proactively so I can warn administrators. Used in conjunction with a port detection program (NMAP) you can perform pretty robust internal network analysis and vulnerability scanning.