ssh_brute: Detect open dropbear server

[Jasper-Ben]

Issue

Currently, the brute modules (at least ssh) do not scan for empty passwords.

Update: This does not seem to affect openssh servers and could only be reproduced on dropbear ssh servers so far.

Setup

Container running an open SSH server (aka, user=root, password="") in the same network as the Nettacker container. I can successfully connect to the SSH server from inside the Nettacker container using ssh root@<ip> without password prompt.

Expected behavior

Nettacker should detect a passwordless SSH server.

Actual behaviour

1. By default, Nettacker does not attempt to connect without password.
2. Running python3 nettacker.py -v -i <ip> -m ssh_brute -u "root" -p "" will fall back to default password list (since passwords is empty)
3. Creating a passwordlist file only containing a newline and running python3 nettacker.py -v -i <ip> -m ssh_brute -u "root" --passwords-list=passwords.txt will use an empty password, but will still fail to detect the open SSH server:

   {"timeout": 3.0, "host": "172.23.0.3", "ports": "22", "usernames": "root", "passwords": "", "method": "ssh_brute_force", "response": {"condition_type": "or", "conditions_results": []}}
   [2023-07-09 12:24:45][+] process-1|ssh_brute|172.23.0.3| finished module thread number 1 from 1
   +----------------------------+------------+-------------+------+----------+
   |            date            |   target   | module_name | port |   logs   |
   +============================+============+=============+======+==========+
   | 2023-07-09 12:24:44.491141 | 172.23.0.3 | port_scan   | 22   | Detected |
   +----------------------------+------------+-------------+------+----------+
   | 2023-07-09 12:24:44.507036 | 172.23.0.3 | port_scan   | 80   | Detected |
   +----------------------------+------------+-------------+------+----------+

Suggested solution

Nettacker should, regardless of provided passwords, always attempt to connect without providing a password.

Nettacker Version

owasp/nettacker:0.3.1 container image

[Captain-T2004]

This is a genuine issue and I would like to fix this. @securestep9, kindly assign me this issue.

[Captain-T2004]

@Jasper-Ben, while recreating this issue. I have found that nettacker is successfully able to identify the open ssh server. I have created a password less ssh server running on a docker container to recreate the issue.

Dockerfile to build the ssh server container:

---

FROM ubuntu:latest

RUN apt-get update && apt-get install -y openssh-server

RUN useradd -ms /bin/bash myuser RUN echo "myuser:"| chpasswd -e

RUN mkdir /var/run/sshd COPY sshd_config /etc/ssh/ RUN passwd -d myuser EXPOSE 22

CMD ["/usr/sbin/sshd", "-D"]

---

sshd_config file:

---

PermitRootLogin no PasswordAuthentication yes PermitEmptyPasswords yes PubkeyAuthentication no ChallengeResponseAuthentication no UsePAM yes

---

Nettacker version:0.3.2 OS: Pop OS 22.04

If you have setup the ssh server in any other way kindly share the details...

[Jasper-Ben]

@Captain-T2004 huh, interesting. I will check again soon (hopefully tomorrow)

[Jasper-Ben]

Ok, I couldn't let it rest until tomorrow :sweat_smile:

So the "good" news is: I am (probably) not stupid, in my setup I am still unable to detect the open SSH server.

# ssh root@172.20.0.2
root@b4a70f4bb3f1:~# 

# python3 nettacker.py -v -i 172.20.0.2 -m ssh_brute

+----------------------------+------------+-------------+------+----------+
|            date            |   target   | module_name | port |   logs   |
+============================+============+=============+======+==========+
| 2024-02-07 17:25:35.715329 | 172.20.0.2 | port_scan   | 22   | Detected |
+----------------------------+------------+-------------+------+----------+
| 2024-02-07 17:25:35.723765 | 172.20.0.2 | port_scan   | 80   | Detected |
+----------------------------+------------+-------------+------+----------+

Unfortunately, I cannot publish the ssh server container here for IP reasons, but I will try to reproduce this behavior in a minimal setup.

Noteworthy: We are using dropbear and not openssh, so first thing I will try again with an open dropbear server on an off-the-shelf Debian container

[Jasper-Ben]

P.S.: can you please send me the command you used to run nettacker? Maybe I'm doing something wrong there?

[Jasper-Ben]

Ok, I was able to reproduce the issue with the following Dockerfile:

FROM debian:bookworm-slim

RUN apt-get update \
    && apt-get install -y dropbear \
    && passwd --delete root \
    && rm -rf /var/apt/lists

CMD ["/usr/sbin/dropbear", "-B", "-F"] 

Using your Dockerfile I was able to detect the open SSH server.

So this indeed is related to dropbear... :thinking: I still think this is a valid issue, since detection should work regardless of SSH server implementation. I will change the title accordingly though.

[Jasper-Ben]

I also just double checked: Nettacker will detect a dropbear server with a weak password (e.g.: python3 nettacker.py -v -i 172.20.0.4 -m ssh_brute -u root -p "root") so this issue really is limited to dropbear without a password.

[securestep9]

If you look at how SSH module is implemented in Nettacker you will see that it is using Paramiko here:==>

https://github.com/OWASP/Nettacker/blob/e71b449b900cf2b4b289dacdb58adb7351c37328/core/module_protocols/core_ssh.py#L21

The Dropbear authentication It is apparently a known issue with Paramiko according to this StackOverflow article: https://stackoverflow.com/questions/71749222/paramiko-authentication-to-server-with-no-password-fails - the same article suggests a workaround:

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Workaround for no authentication:
# https://github.com/paramiko/paramiko/issues/890#issuecomment-906893725
try:
    client.connect(host, port=port, username=username, password=password)
except paramiko.ssh_exception.AuthenticationException as e:
    if not password:
        client.get_transport().auth_none(username)
    else:
        raise e

@Jasper-Ben - are you able to test that the StackOverflow-suggested workaround fixes your problem with Dropbear in your local fork of Nettacker? If yes, feel free to submit a PR

[Captain-T2004]

If you look at how SSH module is implemented in Nettacker you will see that it is using Paramiko here:==>

https://github.com/OWASP/Nettacker/blob/e71b449b900cf2b4b289dacdb58adb7351c37328/core/module_protocols/core_ssh.py#L21

The Dropbear authentication It is apparently a known issue with Paramiko according to this StackOverflow article: https://stackoverflow.com/questions/71749222/paramiko-authentication-to-server-with-no-password-fails - the same article suggests a workaround:

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Workaround for no authentication:
# https://github.com/paramiko/paramiko/issues/890#issuecomment-906893725
try:
    client.connect(host, port=port, username=username, password=password)
except paramiko.ssh_exception.AuthenticationException as e:
    if not password:
        client.get_transport().auth_none(username)
    else:
        raise e

@Jasper-Ben - are you able to test that the StackOverflow-suggested workaround fixes your problem with Dropbear in your local fork of Nettacker? If yes, feel free to submit a PR

@Jasper-Ben, I tried the fix and it worked. After recreating ssh server from the Dockerfile you gave and updating my version of Nettacker to the latest(0.3.3), i tried the above metioned fix and it worked.

---

Here i have 2 dropbear ssh running on localhost ports 22 and 2222 and it was able to detect both.

---

command used: "python3 nettacker.py -u 'root' -i localhost -m ssh_brute -v" Nettacker version: 0.3.3

[Jasper-Ben]

Nice catch @securestep9! And thanks for testing it @Captain-T2004! 🥳

[Jasper-Ben]

Looking at the original issue report in paramiko, there are also improvements in the pipeline that might fix this: https://github.com/paramiko/paramiko/issues/890#issuecomment-1736567046

[Jasper-Ben]

@Captain-T2004 will you create the PR? 🙂