thc-hydra
thc-hydra copied to clipboard
vanhauser-thc
SSH Wide Compatability Mode Unsupported [BUG]
Description:
Running SSH in "Wide Compatibility Mode" causes hydra not to error out. This is enabled via kali-tweaks -> Hardening or adding the following to /etc/ssh/ssh_config. The + indicates append to default.
Host *
Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms +ssh-rsa,[email protected],ssh-dss,[email protected]
PubkeyAcceptedAlgorithms +ssh-rsa,[email protected],ssh-dss,[email protected]
Versions
Kali Version 2022.3, Hydra v9.3
Error
$ hydra -l michael -P /usr/share/wordlists/rockyou.txt ssh://10.10.11.166
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[2022/09/28 00:41:59.494904, 1] socket_callback_connected: Socket connection callback: 1 (0)
[2022/09/28 00:41:59.526248, 1] ssh_client_select_hostkeys: List of allowed host key algorithms is empty or contains only unsupported algorithms
[ERROR] could not connect to ssh://10.10.11.166:22 - ssh_set_client_kex: Out of memory
Expected behavior
SSH bruteforcing should work correctly in Wide Compatibility mode. CrackMapExec works in the meantime:
cme ssh 10.10.11.166 -u michael -p /usr/share/wordlists/rockyou.txt
I think i have the same issue, using the "Wide Compatibility Mode" too, same version of OS and Hydra.
Here is my debug data:
┌──(root㉿kali)-[~]
└─# hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.47.129:22 -t 4 -vV -d
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-29 18:07:50
[DEBUG] cmdline: hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 4 -vV -d ssh://192.168.47.129:22
[DEBUG] opt:9 argc:10 mod:ssh tgt:192.168.47.129 port:22 misc:(null)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1009 login tries (l:1/p:1009), ~253 tries per task
[DATA] attacking ssh://192.168.47.129:22/
[VERBOSE] Resolving addresses ...
[DEBUG] resolving 192.168.47.129
[VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[ERROR] could not connect to ssh://192.168.47.129:22 - ssh_set_client_kex: Out of memory
A quick search for this and libssh did not reveal the config changed required. I do not have time to work on this for the next weeks so if someone can send a PR this would be great ...
Hello,
this issue should be fixed in Kali Linux, as of today, with the latest version of kali-tweaks 2023.1.2, that just landed in kali-rolling.
Steps to follow:
- Run
sudo apt update && sudo apt full-upgrade -yto upgrade your Kali install. - Make sure the latest version of
kali-tweakswas installed withdpkg -l | grep kali-tweaks(expect version2023.1.2or higher). - Then run kali-tweaks and enable the « SSH Wide Compatibility ». If it's already enabled, please disable it, confirm, then enable it again.
After that, it should work. Please report that the issue is indeed fixed.
For the curious, details on the exact issue can be found at: https://gitlab.com/kalilinux/packages/kali-tweaks/-/merge_requests/8#note_1241868100
Thanks!
I was told that it still fails, this time with a different error message:
[ERROR] could not connect to ssh://10.11.1.115:22 - kex error : no match for method mac algo client->server: server [hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96], client [[email protected],[email protected],hmac-sha2-256,hmac-sha2-512]
So I just updated kali-tweaks so that, in « SSH Wide Compatibility » mode, the legacy MACs are also enabled. This was released in kali-tweaks version 2023.1.3.
For anyone interested to test, same procedure as above to update (steps 1, 2 and 3). Thanks!
Still the same issue, i tried in latest kali. any update on this? regular ssh command words, medusa works, nmap script works, but not hydra.
[ERROR] could not connect to ssh://10.0.0.169:22 - kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,[email protected],[email protected]]
@chinnidiwakar Did you enable SSH "Wide Compatibility Mode" in Kali? This is enabled via command kali-tweaks, then in the menu Hardening.
yes, the issue was after fixing that only. i have also tried to add them to config file, that did not help either.
On Tue, Sep 12, 2023 at 1:34 PM Arnaud Rebillout @.***> wrote:
@chinnidiwakar https://github.com/chinnidiwakar Did you enable SSH "Wide Compatibility Mode" in Kali? This is enabled via command kali-tweaks, then in the menu Hardening.
— Reply to this email directly, view it on GitHub https://github.com/vanhauser-thc/thc-hydra/issues/792#issuecomment-1715207297, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADLBMHDUNMUQA4YL7FK6YHDX2AJPJANCNFSM6AAAAAAQXMP374 . You are receiving this because you were mentioned.Message ID: @.***>
I ran into this problem with ubuntu
[ERROR] could not connect to ssh://192.168.5.133:22 - kex error : no match for method server host key algo: server [rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519], client [ssh-rsa]
@chinnidiwakar Just to be sure, can you give me the ouput of:
ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort
Thanks
[image: image.png] here it is
On Tue, Sep 12, 2023 at 2:40 PM Arnaud Rebillout @.***> wrote:
@chinnidiwakar https://github.com/chinnidiwakar Just to be sure, can you give me the ouput of:
ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort
Thanks
— Reply to this email directly, view it on GitHub https://github.com/vanhauser-thc/thc-hydra/issues/792#issuecomment-1715322739, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADLBMHCGVLAEKPWM6RLHFYLX2ARHLANCNFSM6AAAAAAQXMP374 . You are receiving this because you were mentioned.Message ID: @.***>
Yes it's visible, thanks!
I find a bit surprising, as I don't get the same output on my side (also an up-to-date Kali system), I have a few more algos:
┌──(kali㉿kali)-[~]
└─$ ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort
ecdsa-sha2-nistp256
[email protected]
ecdsa-sha2-nistp384
[email protected]
ecdsa-sha2-nistp521
[email protected]
rsa-sha2-256
[email protected]
rsa-sha2-512
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ssh-dss
[email protected]
ssh-ed25519
[email protected]
ssh-rsa
[email protected]
[email protected]
Can you also share the output of those commands please:
┌──(kali㉿kali)-[~]
└─$ ls /etc/ssh/ssh_config.d
kali-wide-compat.conf
┌──(kali㉿kali)-[~]
└─$ cat /etc/ssh/ssh_config.d/kali-wide-compat.conf
# The configuration below enables legacy ciphers and algorithms,
# to allow interacting with old servers that still use those.
#
# If the setting(s) in this file are not desirable, do NOT
# modify this file. Instead, start 'kali-tweaks' in a
# terminal and change the setting from there.
Host *
Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
KexAlgorithms [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-dss,[email protected],ssh-rsa,[email protected],[email protected]
MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-md5-96,[email protected],[email protected],hmac-sha1-96,[email protected]
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-dss,[email protected],ssh-rsa,[email protected],[email protected]
Thanks
The only thing different on Kali Wide Compatibility config since the fix is..
MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-md5-96,[email protected],[email protected],hmac-sha1-96,[email protected]
Can you please confirm you are getting positive attempts using another SSH bruteforce utility such as crackmapexec?
Any additional details for debugging on the target, that would be great.
The original target I created the issue still works.
└─# ls /etc/ssh/ssh_config.d/kali-wide-compat.conf
/etc/ssh/ssh_config.d/kali-wide-compat.conf
┌──(root㉿kali)-[~]
└─# cat /etc/ssh/ssh_config.d/kali-wide-compat.conf
# The configuration below enables legacy ciphers and algorithms,
# to allow interacting with old servers that still use those.
#
# If the setting(s) in this file are not desirable, do NOT
# modify this file. Instead, start 'kali-tweaks' in a
# terminal and change the setting from there.
Host *
Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
KexAlgorithms [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-dss,[email protected],ssh-rsa,[email protected],[email protected]
MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-md5-96,[email protected],[email protected],hmac-sha1-96,[email protected]
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-dss,[email protected],ssh-rsa,[email protected],[email protected]
└─# crackmapexec ssh 10.0.0.159 -u root -p pass.txt
SSH 10.0.0.159 22 10.0.0.159 [*] SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
SSH 10.0.0.159 22 10.0.0.159 [-] root:password Authentication failed.
SSH 10.0.0.159 22 10.0.0.159 [+] root:toor (Pwn3d!)
```
@chinnidiwakar Thanks for the feedback. Something doesn't really match in your config though.
We have the same config file /etc/ssh/ssh_config.d/kali-wide-compat.conf, however the output of the command ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort that you pasted above doesn't match mine. In this output, the following algos are missing:
ssh-dss
[email protected]
[email protected]
[email protected]
Are you that you don't have some other config (in /etc/ssh/ssh_config.d or in /etc/ssh/ssh_config) that modifies HostKeyAlgorithms?
Besides, the list of algo proposed by the hydra (last line, client [...]) doesn't match the algo listed by the command ssh -G '*'... It's all confusing to me.
Nope Only One under ssh_config.d
and only this content in ssh_config
└─# cat /etc/ssh/ssh_config
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
```
Ok... What about your ~/.ssh directory, any config there?
So far I can't explain why the command ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort doesn't show all algorithms, it might be related to the issue you're having. But it's something in your setup, so you should try to sort that out first.
└─# cd .ssh
┌──(root㉿kali)-[~/.ssh]
└─# ls
config known_hosts known_hosts.old
┌──(root㉿kali)-[~/.ssh]
└─# cat config
Host *
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
Ciphers +aes128-cbc,aes256-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group14-sha1
┌──(root㉿kali)-[~/.ssh]
└─# cat known_hosts
|1|76LXJtBP0owI1pKahd1sHuBIx/w=|AFaVVqEeqMC6p4lLzPf//91ZxSQ= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
|1|A7sMLVqSKm8AEvGATQ3GZouz7P0=|0DBmzsnTXEBLg00EcB4CEY5/F50= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvehXYom8uMxoVm24UzeGE7SOVsWjZcqN5KxuPiJld4
|1|tOGdV9AySiMAp2Ftlikz0jPp8a4=|05slJEjtiGYEXMsHI51xfx8WhIY= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+jqqZKVegyOKFd3cc0vByJqpF9OXGcAytlm+DZFXDmPAMNwWanRN8b7eMWA3oEJwszI3c/M+przNm1Ultl4m3RfU01XiWSfWphC13rgBfMRLSDSDjj5EtTv4fPwXUeDJVflQ7lvYNgfF6c2MP5VFfj2GdynVO6EJJse1S2LrGX7wCfsfYs7CFd2GUVWeH9hau673oRVY0pcIKwwh80p1tr90g5cJjpjzLYGsOwShDJwipEFit0lxI9e8nEF/tYbGtYOabvVEokO+ze//mwvxqv5pm3IhV8juiC26iDNDDh4BvvcAczN9kREKy1LN5kXem9xePkWbrUohc8zze2eXCifwqUq5SNXMGdJaBCw3uBs4kM5bw5ki5z03SnXnINlrC2fyEKoGTxLnQ1+bEjHB4/kPaxfBUYerS8pMkn+OztVO8JMXG6u+IFg8wNjfcd3Bba+UItK8j6vNpy4AvcrkAKyBmEW5YRHI+Kimcy4o2+LlvDqZP/RWuYkCkIKAbFpM=
|1|AmqocFwlwBKAtlCodG+xRB30HzA=|6xZi8vZo7wPqSFuwX0uA7OTifrI= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOYSZyPQ6Lr80Z2b9E0IFTEGlZcroQx5tcbKpR/W/MGQXxcGREQ3IV3Y/ARyO/+INpGkKyaIQfHnj9fSlk1leMg=
|1|pa+QHDpvutgOYomnDViVHHSEEC4=|r+6qHVLtXwmlEk0K8HtE3gf9w2k= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
┌──(root㉿kali)-[~/.ssh]
└─# cat known_hosts.old
|1|76LXJtBP0owI1pKahd1sHuBIx/w=|AFaVVqEeqMC6p4lLzPf//91ZxSQ= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
|1|A7sMLVqSKm8AEvGATQ3GZouz7P0=|0DBmzsnTXEBLg00EcB4CEY5/F50= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvehXYom8uMxoVm24UzeGE7SOVsWjZcqN5KxuPiJld4
┌──(root㉿kali)-[~/.ssh]
└─#
this is the default kali downloaded and using straight from kali.org website, and the same issue persists in 10 or more other kali's. so i dont even know where the issue is to fix.
@chinnidiwakar
The file ~/.ssh/config is what's causing the issue. You surely see that this file defines PubkeyAcceptedAlgorithms and HostkeyAlgorithms and Ciphers and KexAlgorithms, right? Hence those settings take precedence over what's in /etc/ssh/ssh_config.d/kali-wide-compat.conf. In other words, Kali Wide Compat settings are ignored.
So please remove the file ~/.ssh/config and maybe that will be enough to fix the issue.
Also, this file is not Kali's default, what's in ~/.ssh/ was added by you.
Hi Sorry for delayed Response, and Thanks for Noticing, that config file is a small workaround that i found on the stackoverflow, and forgot to remove it later, as you explained it think it takes precedence and not taking my kali-tweaks modifications, i removed the file and now hydra could crack it just as expected, thanks for your time and support with all these back and forth, i will try to reexecute all the commands and will share the output for future reference. Thanks again.
[ERROR] could not connect to ssh://192.168.0.149:22 - kex error : no match for method server host key algo: server [ssh-dss], client [ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa]
Crackmapexec
ValueError: p must be exactly 1024, 2048, 3072, or 4096 bits long
I did the kali twaek No ~/.ssh/config
root@localhost:~# ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] ecdsa-sha2-nistp521 [email protected] rsa-sha2-256 [email protected]
rsa-sha2-512 [email protected] [email protected] [email protected] [email protected] [email protected] ssh-dss [email protected] ssh-ed25519 [email protected]
ssh-rsa [email protected] [email protected]
