Brutespray hanging

[gbiagomba]

Hello,

I have had this issue I noticed with brutespray where it hangs and does not close. Like it has been hanging on the output below for almost 24 hours. I tried killing it and restarting it and it seems to hang around the same point. Unfortunately I can not share the original gnmap file but I can say the file is 46MB. Would it be possible to add a max-time per host kinda like nmap or a max time to the entire program. So if it starts to hang the program can force-restart itself and resume where it left off.

NOTICE: [ssh] Host: 127.0.0.1 - Login thread (7) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 127.0.0.1 User: REDACTED Password: Br0ken!! - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (3/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (3/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (4/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
NOTICE: [ssh] Host: 127.0.0.1 - Login thread (4) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 127.0.0.1 User: REDACTED Password: REDACTED - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (4/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
NOTICE: [ssh] Host: 127.0.0.1 - Login thread (1) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 127.0.0.1 User: REDACTED Password: REDACTED - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 127.0.0.1 User: REDACTED Pass: REDACTED

Her eis the error dump i got when i kill it

^CError in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/popen_fork.py", line 27, in poll
    pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/usr/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/bin/brutespray", line 286, in brute
    for line in iter(p.stdout.readline, b''):
KeyboardInterrupt

[c-f]

Unfortunately i could reproduce the problem. Currently Medusa does not have a host timeout or timeout option in general. If you have a bad host (e.g. https://en.wikipedia.org/wiki/Tarpit_(networking) or unresponsive service), which keeps the TCP connection alive and never closes it and don't return any banner, medusa will wait for it.

Possible Reason

However this should most likely be an error in the libssh2 library. After reading through the code of medusa i stumbled upon the following line. if (libssh2_session_startup(session, hSocket)) and to a note of the author:

Some notes regarding libssh2... Using the stock libssh2 library, it is likely that the user will encounter hung module threads when running Medusa. This problem is due to libssh2's libssh2_session_startup() not always returning. The cause of this hang within libssh2, I believe, stems from the SSH servers being tested getting pissed and not sending back a banner.

So there you have it - it's official documented since 2015 , but i'm unsure if this is really the problem or it's 00:21 and i don't see clear :D

Since the problem is already in medusa brutespray is not able to help here*.

Implementation ideas:

• C lang: Help implement such a feature in Medusa (https://github.com/jmk-foofus/medusa) e.g. timeout ( or a fix in lib ssh2 ? if this is the origin of the problem ?)
• Python: try to reduce the amount of hosts of a medusa run to a minimum and scale the processes - afterwards kill the process after a specific period. This can be achieved using signals (https://docs.python.org/3/library/signal.html#signal.SIGALRM) so a function can be killed after a specific timeout. Patator also uses this ( https://github.com/lanjelot/patator/blob/master/patator.py#L2114)
• your lang of choice: Code your own

Alternative solutions:

In my option: use the right tool for the right job. That means that you need to search for an alternative for SSH or clean your host list from those services.

Side note: Same can be applied to MYSQL. Newer version cannot be identified or tested with medusa (https://github.com/jmk-foofus/medusa/blob/292193b3995444aede53ff873899640b08129fc7/src/modsrc/mysql.c#L814).

I guess the problem of implementing everything in c should be a problem of the past with all these great open source libraries available, which abstract a vast amount of logic.

Reproduce

Medusa: v.2.2 libssh2-1: 1.8.0-2.1build1

Simply reproduce by specifying an open NC connection:

user@localhost:  nc -l -p 1337 

user@localhost: time medusa -u test -p test -M ssh -h 127.0.0.1 -n 1337 -v1000000 -w10000

i killed the connection after one hour.

Debug output of medusa

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

DEBUG [E5FA0D80]: Successfully loaded login information.
GENERAL: Parallel Hosts: 1 Parallel Logins: 1
GENERAL: Total Hosts: 1 
GENERAL: Total Users: 1
GENERAL: Total Passwords: 1
DEBUG AUDIT [E5FA0D80]: adding new server (0) to queue
DEBUG AUDIT [E5FA0D80]: waiting for server pool to end
DEBUG SERVER [E5F9F700]: Server ID: 0 Host: 127.0.0.1 iUserPassCnt: 1 iLoginCnt: 1
DEBUG SERVER [E5F9F700]: Set IPv4 address: 127.0.0.1 (127.0.0.1)
DEBUG SERVER [E5F9F700]: Adding new login task (0) to server queue (0)
DEBUG SERVER [E5F9F700]: waiting for server 0 login pool to end
DEBUG [E579E700]: startModule iId: 0 pLogin: E5F9EAB0 modParams->argv: D2460ED0 modParams: E5F9EA90
DEBUG [E579E700]: Trying module path of .
DEBUG [E579E700]: Attempting to load ./ssh.mod
DEBUG [E579E700]: Trying module path of /usr/lib/x86_64-linux-gnu/medusa/modules
DEBUG [E579E700]: Attempting to load /usr/lib/x86_64-linux-gnu/medusa/modules/ssh.mod
DEBUG MODULE [E579E700]: OMG teh ssh.mod module has been called!!
DEBUG [E579E700]: [getNextNormalCred] Initial credential set request for login module.
DEBUG [E579E700]: [getNextNormalCred] (PARALLEL_LOGINS_PASSWORD) setting user: test
DEBUG MODULE [E579E700]: [ssh.mod] module started for host: 127.0.0.1 user: test
DEBUG MODULE [E579E700]: Attempting to set banner: SSH-2.0-MEDUSA_1.0
DEBUG MODULE [E579E700]: Attempting to initiate SSH session.
DEBUG [E579E700]: Connected (internal)

[x90skysn3k]

This should be a simple to fix by pushing a patch to Medusa. https://github.com/jmk-foofus/medusa.. I will look into it.

[gbiagomba]

thank you @x90skysn3k