SSH Public Key Acceptance Scanner
This module can determine what public keys are configured for key-based authentication across a range of machines, users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client performing the actual signed authentication request. To use this module, a text file containing one or more SSH keys should be provided. These can be private or public, so long as no passphrase is set on the private keys. If you have loaded a database plugin and connected to a database this module will record authorized public keys and hosts so you can track your process. Key files may be a single public (unencrypted) key, or several public keys concatenated together as an ASCII text file. Non-key data should be silently ignored. Private keys will only utilize the public key component stored within the key file.
Rank
- Normal
Authors
- todb < todb [at] metasploit.com >
- hdm < hdm [at] metasploit.com >
Development
Similar Modules
- auxiliary/scanner/ssh/ssh_login
- auxiliary/scanner/ssh/ssh_login_pubkey
- auxiliary/scanner/ssh/ssh_version
Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/ssh/ssh_identify_pubkeys
msf auxiliary(ssh_identify_pubkeys) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(ssh_identify_pubkeys) > run
Module Options
| BRUTEFORCE_SPEED | How fast to bruteforce, from 0 to 5 (default: 5) |
| KEY_FILE | Filename of one or several cleartext public keys. |
| RHOSTS | The target address range or CIDR identifier |
| RPORT | The target port (default: 22) |
| STOP_ON_SUCCESS | Stop guessing when a credential works for a host |
| THREADS | The number of concurrent threads (default: 1) |
| USERNAME | A specific username to authenticate as |
| USERPASS_FILE | File containing users and passwords separated by space, one pair per line |
| USER_FILE | File containing usernames, one per line |
| VERBOSE | Whether to print output for all attempts (default: true) |
| KEY_DIR | Directory of several keys. Filenames must not begin with a dot in order to be read. |
| MaxGuessesPerService | Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used. |
| MaxGuessesPerUser | Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used. |
| MaxMinutesPerService | Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used. |
| REMOVE_PASS_FILE | Automatically delete the PASS_FILE on module completion |
| REMOVE_USERPASS_FILE | Automatically delete the USERPASS_FILE on module completion |
| REMOVE_USER_FILE | Automatically delete the USER_FILE on module completion |
| SSH_BYPASS | Verify that authentication was not bypassed when keys are found |
| SSH_DEBUG | Enable SSH debugging output (Extreme verbosity!) |
| SSH_KEYFILE_B64 | Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only. |
| ShowProgress | Display progress messages during a scan |
| ShowProgressPercent | The interval in percent that progress should be shown |
| WORKSPACE | Specify the workspace for this module |