sshauth command output not very good looking.

[timukas]

I'm using latest poseidon on latest Mythic.

sshauth command output could be more beautiful.

[its-a-feature]

Thanks for opening an issue! The browser script is currently using the same rendering as the other virtualized components within Mythic, so things like wrapping and line height are static. When you say it could be better, can you elaborate a bit on what you're looking for? Do you want a better way to see the output of commands? Are you often running a command on a single server, testing access, or running commands on multiple servers?

[timukas]

Yes, i meant better way to see the output of commands.

Currently, for long outputs i triple click the output field and paste text into notepad, then output is shown same way as in terminal (taking into account \r\n).

With sshauth in most of the cases i run some commands on remote systems.

[its-a-feature]

I can add a button there that allows you to copy out the entire output more easily. Out of curiosity though, are you using this to run a bunch of ssh commands on a host, or are you using it more as a way to test access/laterally move?

[its-a-feature]

https://github.com/MythicAgents/poseidon/actions/runs/10709004720 ^ once that finishes, trying pulling down the latest and reinstalling the poseidon container. I updated the browser script to have little "copy" icons next to the output and host so it's easier to get that data out.

If you're using this as more of a regular way to run ssh commands on a single host though, then I think it's better if I make a more dedicated ssh command (or better yet, use the pty command within poseidon and run ssh from within that)

[timukas]

Thanks for "copy" button!

sshauth - execute & forget. No need to adjust callback intervals.

pty sometimes is used also. Downside on pty, that it spawns /bin/bash from poseidon payload and for long callback intervals must be changed to 0 or close-to-zero values.

[its-a-feature]

Gotcha, that makes sense. I'll look into making a dedicated ssh command that works like the pty, but instead of spawning a shell locally, using a pty through the ssh connection.

[its-a-feature]

The pty command btw won't require you to adjust your sleep interval. It spawns a pseudo terminal and executes a command within it (ex: /bin/bash) and from there you execute additional commands. So, from that pty if you run ssh user@ip, the spawned pty keeps the ssh connection alive. The actual comms speed between Poseidon and Mythic doesn't matter and is only used to send input/read output from the pty in general, it doesn't affect the connection of things you run within it

[its-a-feature]

I just added a ssh command to the latest poseidon - so you can enter an interactive pty ssh session without spawning ssh and without needing to sleep down the agent either

[timukas]

ssh command keeps showing this:

Tried remote hosts, localhost - still "fetching" Set StrictHostKeyChecking no to all hosts in ssh config - still fetching

[its-a-feature]

It should just show that until there's some sort of data to show. What's the status of the task you're issuing? It should return errors for connectivity issues (or auth issues) and a prompt for success.

[timukas]

Once i run this command: ssh {"username":"root","password":"some_foo","host":"10.10.20.30","port":22}

I get "Fetching Interactive Task data" popup, but i'm not able to type any ssh commands. Task is in agent processing state.

[its-a-feature]

Is you do the same host and everything with the sshauth command then you get your output? Does that account have a login shell associated with them? It's weird that it would hang like that

[timukas]

Same creds on the same host: sshauth - works, ssh - not. sshauth

ssh:

p.s recorded a video

https://github.com/user-attachments/assets/6cc8a0e7-22f9-4938-b05a-b23c9dac98fa

[its-a-feature]

What kind of server are you ssh-ing into? I can try testing with that specific kind on my end to see if I can replicate. I was testing ssh-ing into a Mac, but maybe it's different with something like kali or certain Linux boxes. Do you get the same issue if you ssh in as a non-root account?

[timukas]

I have poseidon payload running on Debian 11 and connecting with ssh and sshauth command to Kali (latest).

When tcpdump'ing and running sshauth command - i see ssh cipher exchange in tcpdump and get results from sshauth command.

With ssh command i don't see any packets in tcpdump.

Both commands i've tried on completely new callbacks without any previous commands.

[timukas]

Another thing i've noticed with sshauth command. Once you run 1 simple sshauth command and get results, tcpdump shows every 15 seconds 2 packets to/from ssh port.

[its-a-feature]

Hmm ok I'll look into it, they're both using the same library, so it's odd that one works and one doesn't.

That other thing sounds like sshauth isn't properly closing the tcp connections and there's a keep alive still going. I'll look into that too

[timukas]

jobkill UID command does not kill existing ssh command.

if you run jobs several times in a row, then all previous jobs are listed in 'jobs' json. Also looks a bit weird.

[its-a-feature]

Ah yeah jobs command shouldn't include the jobs command itself

[timukas]

it shows all previous jobs

[its-a-feature]

https://github.com/MythicAgents/poseidon/actions/runs/10746572112 ^ building a new version that fixes the jobs and should properly cleanup the ssh connections

[timukas]

Thanks!

sshauth now works properly - no ssh packets after command execution.

jobs - now works better. But i've noticed, that even ssh command is exited, jobs list ssh as active job, but jobkill does not kill ssh command.

With ssh command now i see ssh cipher exchange between machines and can run ssh commands, similar way as with pty.

p.s. All this started working only after i pruned all docker images. Before that, upgrading poseidon (with -f option), still had some issues with ssh, jobs and sshauth commands, despite that Mythic showed correct Poseidon's version '2.1.6'.

[timukas]

What would be the correct way to update poseidon and have it working properly (without deleting/pruning existing docker images)?

[its-a-feature]

You should be able to just re-install it:

sudo ./mythic-cli install github https://github.com/mythicagents/poseidon -f

and that'll delete the existing container, delete the existing volume, and fresh install it