CrackMapExec
CrackMapExec copied to clipboard
byt3bl33d3r
SSH Bruteforcing with Key File
Issues: Requires a password to run with bruteforcing with Key File Also paramiko error
I installed crackmapexec on kali sudo apt-get install crackmapexec crackmapexec is already the newest version (5.1.5-0kali1).
Works:
sudo crackmapexec ssh 192.168.0.25 --key-file id_rsa-u ./users.txt -p 'password'
SSH 192.168.0.25 22 192.168.0.25 [*] SSH-2.0-OpenSSH_7.9
SSH 192.168.0.25 22 192.168.0.25 [+] user:password (keyfile: id_rsa)
Doesn't Work:
sudo crackmapexec ssh 192.168.0.25 --key-file id_rsa -u ./users.txt
Also kept getting this when it didn't work:
ERROR:paramiko.transport:Unknown exception: q must be exactly 160, 224, or 256 bits long
ERROR:paramiko.transport:Traceback (most recent call last):
ERROR:paramiko.transport: File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run
ERROR:paramiko.transport: handler(self.auth_handler, m)
ERROR:paramiko.transport: File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept
ERROR:paramiko.transport: sig = self.private_key.sign_ssh_data(blob)
ERROR:paramiko.transport: File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 108, in sign_ssh_data
ERROR:paramiko.transport: key = dsa.DSAPrivateNumbers(
ERROR:paramiko.transport: File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 250, in private_key
ERROR:paramiko.transport: return backend.load_dsa_private_numbers(self)
ERROR:paramiko.transport: File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 853, in load_dsa_private_numbers
ERROR:paramiko.transport: dsa._check_dsa_private_numbers(numbers)
ERROR:paramiko.transport: File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 147, in _check_dsa_private_numbers
ERROR:paramiko.transport: _check_dsa_parameters(parameters)
ERROR:paramiko.transport: File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 139, in _check_dsa_parameters
ERROR:paramiko.transport: raise ValueError("q must be exactly 160, 224, or 256 bits long")
ERROR:paramiko.transport:ValueError: q must be exactly 160, 224, or 256 bits long
ERROR:paramiko.transport:
SSH 192.168.0.25 22 192.168.0.25 [-] user:password (keyfile: id_rsa) q must be exactly 160, 224, or 256 bits long
SSH 192.168.0.25 22 192.168.0.25 [+] gooduser:password (keyfile: id_rsa)
I believe you can pass in -p '', but yeah, it's sorta annoying that you have to. I'll take a look at fixing this in my new SSH branch. I was also getting the "q must be" issue but haven't looked into why it's throwing that. Perhaps a sanity check on the key should be done before attempting anything.
Okay it looks like when SSH authentication fails with an RSA key, it attempts to use it as a DSA key (seen in the errors, dsa.py), which then throws the ValueError since it's not a DSA key.
See https://github.com/paramiko/paramiko/pull/1606
Looks like Paramiko is just incredibly slow to update... We might want to use Paramiko-ng since it actually receives regular updates...
I used the solution outlined in https://github.com/paramiko/paramiko/issues/2048#issuecomment-1516124834 and pushed this to my current branch working on stuff. We'll need to test it and then it can be pushed to sponsors.
There was some discussion about this and we are going to still require the -p parameter, even if there's no password, to provide consistency across protocols.
If a keyfile is used, and no password, CME will exit before continuing, and alert the end user that a password is still required, even if empty.
Consistency is key (no pun intended) for us, so even though it may seem extraneous to add in, it keeps things similar for users.
Hello,
Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0
Regards,
mpgn
