SSHatter 1.0
21 November 2011
SSHatter is a Perl based tool for brute force guessing SSH login credentials. Since I last wrote about SSHatter several new versions have been released. The latest version is 1.0 which has several improvements, but which still suffers from a few bugs.
Installation and Usage
To use SSHatter simply download the source from http://freshmeat.net/projects/sshatter. Once downloaded, unpack the source and run the SSHatter.pl file. More than likely you'll get an error indicating that a Perl dependency is missing. To fix this error simply install the 'perl-Net-SSH-Perl' library. On Fedora you can use 'sudo yum install perl-Net-SSH-Perl' to accomplish this. You'll also need the Perl parallel fork manager library which can be installed using 'sudo yum install perl-Parallel-ForkManager'. SSHatter has a number of different configuration options. You can explore them by simply typing: 'perl SSHatter.pl' in the same directory that SSHatter is installed. The entire download, enabling and install process should look something like this:$ wget http://freshmeat.net/urls/4545c53ceab532b77fcfe92e075a6828 $ tar xvzf SSHatter-1.0.tar.gz $ cd SSHatter-1.0/src $ sudo yum install -y perl-Net-SSH-Perl perl-Parallel-ForkManager $ perl SSHatter.pl usage: SSHatter.pl -x-t -u <[-k ] [-p ] [-d]> [[-0] [-s] -m | [-0] [-s] -i | -P | -G ] -d - dumb mode, try username equals password, username, blank -0 - sudo mode, echo the password to STDIN (useful for systems where sudo -S works) -s - safe mode, prompt before executing -m - mass mode, run one command across all targets -i - interactive mode, run multiple commands across all targets (non-persistant) -P - upload a file -G - download a file If sudo mode is not enabled, then SSHatter.pl will block on STDIN. at SSHatter.pl line 313.
Using SSHatter
You'll see from the default output that SSHatter accepts a file for the target servers, the usernames, and passwords to try as well as a host of other configuration options. There are a couple of tricks you can use to make SSHatter more effective. The first is that servers can be listed with alternative ports, such as including:127.0.0.1:2222To scan the localhost on port 2222 instead of the default SSH port (which is TCP port 22). You can also limit the process, which limits the number of forks that SSHatter will manage. This can be helpful if your scans overload the target.
Problems with SSHatter
The first issue you'll notice when using SSHatter is that you must specify the '-x' flag and an option or the program will fail. Another caveat I discovered is that if you don't run SSHatter using sudo the code will fail with the mysterious error:$ perl SSHatter.pl -x 1 -t hosts.txt -u users.txt -p pass.txt I: 127.0.0.1:22 SSHatter::Exception::Host::Check::Net::SSH::Perl::Cmd at SSHatter.pl line 110,This is actually an issue with the Perl SSH library. If you try the following code:line 1. I: 127.0.0.1:22 finished
#!/usr/bin/perl # File: sshtest.pl use Net::SSH::Perl; $host = '127.0.0.1'; $user = 'root'; $pass = 'password'; $conn = Net::SSH::Perl->new($host); $conn->login($user, $pass);You'll find the error that's causing this behaviour:
$ perl sshtest.pl Received disconnect message: Too many authentication failures for root at /usr/share/perl5/vendor_perl/Net/SSH/Perl/AuthMgr.pm line 143The disconnect error that is causing SSHatter to fail is actually connected to the use of the Perl library. If you run with elevated privileges using sudo the error doesn't appear:
$ sudo perl sshtest.pl [sudo] password for justin: Permission denied at sshtest.pl line 7The problem is that Net-SSH retries password authentication unless you stop it explicitly. This causes the authentication to bomb out after just one username/password try. The following code fixes this issue in sshtest.pl:
#!/usr/bin/perl use warnings; use Net::SSH::Perl; $host = '127.0.0.1'; $user = 'justin'; $pass = 'foo'; $conn = Net::SSH::Perl->new($host, options => ["PasswordAuthentication yes", "PubkeyAuthenticaion no", "NumberOfPasswordPrompts 1"]); $conn->login($user, $pass);Applying the following patch will fix this problem in SSHatter and allow you to run in a non-privileged mode:
--- SSHatter.pl 2009-12-09 20:25:47.000000000 -0500 +++ SSHatter.fixed.pl 2011-09-16 11:06:16.000000000 -0400 @@ -96,7 +96,7 @@ sub checkbypassword { $username = shift; $password = shift; eval { - $sshhandle = Net::SSH::Perl->new($self->{'hostname'}, port => $self->{'portnumber'}); + $sshhandle = Net::SSH::Perl->new($self->{'hostname'}, port => $self->{'portnumber'}, options => ["NumberOfPasswordPrompts 1", "ChallengeResponseAuthentication no"]); }; if ($@ ne "") { die "SSHatter::Exception::Host::Check::Net::SSH::Perl::New";This will allow you to run without sudo, but you'll still find a host of other problems. The Perl Net SSH library implements a die() statement if the remote machine isn't online. This will cause SSHatter to exit unexpectedly (although only one thread will die so this shouldn't kill the program entirely).