ssh_brute: Detect open dropbear server
Jasper-Ben opened this issue · comments
Issue
Currently, the brute modules (at least ssh) do not scan for empty passwords.
Setup
Container running an open SSH server (aka, user=root, password="") in the same network as the Nettacker container.
I can successfully connect to the SSH server from inside the Nettacker container using ssh root@<ip>
without password prompt.
Expected behavior
Nettacker should detect a passwordless SSH server.
Actual behaviour
- By default, Nettacker does not attempt to connect without password.
- Running
python3 nettacker.py -v -i <ip> -m ssh_brute -u "root" -p ""
will fall back to default password list (since passwords is empty) - Creating a passwordlist file only containing a newline and running
python3 nettacker.py -v -i <ip> -m ssh_brute -u "root" --passwords-list=passwords.txt
will use an empty password, but will still fail to detect the open SSH server:
{"timeout": 3.0, "host": "172.23.0.3", "ports": "22", "usernames": "root", "passwords": "", "method": "ssh_brute_force", "response": {"condition_type": "or", "conditions_results": []}}
[2023-07-09 12:24:45][+] process-1|ssh_brute|172.23.0.3| finished module thread number 1 from 1
+----------------------------+------------+-------------+------+----------+
| date | target | module_name | port | logs |
+============================+============+=============+======+==========+
| 2023-07-09 12:24:44.491141 | 172.23.0.3 | port_scan | 22 | Detected |
+----------------------------+------------+-------------+------+----------+
| 2023-07-09 12:24:44.507036 | 172.23.0.3 | port_scan | 80 | Detected |
+----------------------------+------------+-------------+------+----------+
Suggested solution
Nettacker should, regardless of provided passwords, always attempt to connect without providing a password.
Nettacker Version
owasp/nettacker:0.3.1
container image