Problems when running the ssh plugin

[bleh92]

Helloo,
I am a github noob, so forgive me if I am doing this wrong.

So I was testing your tool to brute force SSH credentials on 2 machines in my network. I have installed all the dependencies and the tool runs without any error.
My machine:-
Linux Bruteforcer 5.4.0-166-generic #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

It is the same for the other 2 machines as well.

So the command I used was:
./legba ssh --username ubuntu --password wordlists/passwords.txt --target @target.txt -O result --output-format jsonl -Q
and go the expected result

Also note that the only password stored in the passwords.txt is Lab4man1.

When I run the same command but this time remove the -Q flag, I get this error

This keeps running forever, until I stop it.

If there are multiple passwords in the password list the same error as the over one is noticed. But in case of -Q flag , it doesn't run forever.

Multiple passwords file:

./legba ssh --username ubuntu --password wordlists/password-new.txt --target @target.txt -O result --output-format jsonl

./legba ssh --username ubuntu --password wordlists/password-new.txt --target @target.txt -O result --output-format jsonl -Q

Once again , sorry If this isn't the way to ask a question.
Thank you.

[evilsocket]

@bleh92 none of these are errors, but informative messages of the progress, except for the last one ... in the last one, I can see the machines are not responding anymore ("deadline has elapsed" means a timeout while connecting) so the reason why it's taking forever is probably because they've stopped responding after the first attempt?

can you ssh manually to those machines when this is happening?

[bleh92]

@bleh92 none of these are errors, but informative messages of the progress, except for the last one ... in the last one, I can see the machines are not responding anymore ("deadline has elapsed" means a timeout while connecting) so the reason why it's taking forever is probably because they've stopped responding after the first attempt?

can you ssh manually to those machines when this is happening?

Yes, I checked just now. I am able to ssh simultaneously while the script is running.

[evilsocket]

to both targets, from the same machine? is fail2ban active?

[bleh92]

Yes, I am able to ssh to both .10 and .11 at the same time, while the script is running, and both .10 and .11 are fresh installations.
But just in case
A screenshot of .10 machine

[evilsocket]

mmm weird ... can you run legba by prepending RUST_LOG=debug and pasting the log here please?

RUST_LOG=debug ./legba ssh --username ubuntu --password wordlists/passwords.txt --target @target.txt

[bleh92]

For the command you have suggested above, it again runs endlessly

when I run it using -Q i.e,
RUST_LOG=debug ./legba ssh --username ubuntu --password wordlists/passwords.txt --target @target.txt -Q
this password file has only 1 password which is Lab4man1, which is the correct password to login to my machines.

this is the output.
legba v0.4.0

`[INFO ] targets (2): @target.txt
[DEBUG] loading wordlist from wordlists/passwords.txt ...
[DEBUG] loading wordlist from wordlists/passwords.txt ...
[INFO ] username -> string 'ubuntu'
[INFO ] password -> wordlist wordlists/passwords.txt

[DEBUG] loading wordlist from wordlists/passwords.txt ...
[DEBUG] loading wordlist from wordlists/passwords.txt ...
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] read_ssh_id: reading
[DEBUG] read_ssh_id: reading
[DEBUG] read 41
[DEBUG] Ok("SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9\r\n")
[DEBUG] writing, seqn = 0
[DEBUG] padding length 10
[DEBUG] packet_length 628
[DEBUG] writing 632 bytes
[DEBUG] id 41 41
[DEBUG] read 41
[DEBUG] Ok("SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9\r\n")
[DEBUG] writing, seqn = 0
[DEBUG] padding length 10
[DEBUG] packet_length 628
[DEBUG] writing 632 bytes
[DEBUG] id 41 41
[DEBUG] reading, len = [0, 0, 4, 28]
[DEBUG] reading, seqn = 0
[DEBUG] reading, clear len = 1052
[DEBUG] read_exact 1056
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] extending []
[DEBUG] kex 189
[DEBUG] kex 211
[DEBUG] kex 219
[DEBUG] client_compression = None
[DEBUG] algo = Names { kex: Name("curve25519-sha256"), key: Name("ssh-ed25519"), cipher: Name("chacha20-poly1305@openssh.com"), client_mac: Name("hmac-sha2-512-etm@openssh.com"), server_mac: Name("hmac-sha2-512-etm@openssh.com"), server_compression: None, client_compression: None, ignore_guessed: false }
[DEBUG] write = []
[DEBUG] i0 = 617
[DEBUG] writing, seqn = 1
[DEBUG] padding length 6
[DEBUG] packet_length 44
[DEBUG] moving to kexdhdone, exchange = Exchange { client_id: CryptoVec { p: 0x7f1678014260, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678014210, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780146e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801a2b0, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801ae90, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x1, size: 0, capacity: 0 } }
[DEBUG] reading, len = [0, 0, 4, 28]
[DEBUG] reading, seqn = 0
[DEBUG] reading, clear len = 1052
[DEBUG] read_exact 1056
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] extending []
[DEBUG] kex 189
[DEBUG] kex 211
[DEBUG] kex 219
[DEBUG] client_compression = None
[DEBUG] algo = Names { kex: Name("curve25519-sha256"), key: Name("ssh-ed25519"), cipher: Name("chacha20-poly1305@openssh.com"), client_mac: Name("hmac-sha2-512-etm@openssh.com"), server_mac: Name("hmac-sha2-512-etm@openssh.com"), server_compression: None, client_compression: None, ignore_guessed: false }
[DEBUG] write = []
[DEBUG] i0 = 617
[DEBUG] writing, seqn = 1
[DEBUG] padding length 6
[DEBUG] packet_length 44
[DEBUG] moving to kexdhdone, exchange = Exchange { client_id: CryptoVec { p: 0x7f1678008bb0, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678008b60, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780091e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801bb00, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801c310, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x1, size: 0, capacity: 0 } }
[DEBUG] reading, len = [0, 0, 0, 188]
[DEBUG] reading, seqn = 1
[DEBUG] reading, clear len = 188
[DEBUG] read_exact 192
[DEBUG] read_exact done
[DEBUG] reading, padding_length 8
[DEBUG] server_public_Key: Ed25519(VerifyingKey(CompressedEdwardsY: [176, 89, 240, 59, 145, 177, 144, 145, 134, 188, 229, 229, 134, 252, 139, 105, 93, 164, 89, 8, 146, 157, 159, 153, 115, 51, 104, 149, 73, 159, 113, 237]), EdwardsPoint{
X: FieldElement51([728083680119007, 436116878926261, 1961446992170349, 446738616696109, 1587327731806879]),
Y: FieldElement51([195237333981616, 242703091683890, 394249906827250, 485764287613188, 1925356338108035]),
Z: FieldElement51([1, 0, 0, 0, 0]),
T: FieldElement51([1493877698679165, 457010286071527, 1037602397152548, 498966669971339, 2077064360606616])
}))
[DEBUG] kexdhdone.exchange = Exchange { client_id: CryptoVec { p: 0x7f1678014260, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678014210, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780146e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801a2b0, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801ae90, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x7f167801c370, size: 32, capacity: 32 } }
[DEBUG] exchange hash: CryptoVec { p: 0x7f167801c3e0, size: 32, capacity: 32 }
[DEBUG] sig_type: [115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57]
[DEBUG] signature: [5, 93, 130, 33, 114, 229, 80, 99, 52, 121, 224, 63, 140, 247, 72, 207, 147, 21, 2, 48, 208, 31, 217, 250, 34, 99, 0, 93, 101, 226, 96, 207, 97, 4, 121, 192, 74, 193, 101, 123, 232, 245, 108, 46, 27, 20, 78, 21, 144, 11, 37, 200, 103, 205, 76, 19, 14, 49, 102, 212, 153, 198, 226, 10]
[DEBUG] writing, seqn = 2
[DEBUG] padding length 10
[DEBUG] packet_length 12
[DEBUG] reading, len = [0, 0, 0, 12]
[DEBUG] reading, seqn = 2
[DEBUG] reading, clear len = 12
[DEBUG] read_exact 16
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] newkeys received
[DEBUG] sending ssh-userauth service requset
[DEBUG] writing, seqn = 3
[DEBUG] padding length 6
[DEBUG] packet_length 24
[DEBUG] write_auth_request_if_needed: is_waiting = false
[DEBUG] reading, len = [0, 0, 0, 188]
[DEBUG] reading, seqn = 1
[DEBUG] reading, clear len = 188
[DEBUG] read_exact 192
[DEBUG] read_exact done
[DEBUG] reading, padding_length 8
[DEBUG] server_public_Key: Ed25519(VerifyingKey(CompressedEdwardsY: [169, 140, 1, 56, 240, 250, 4, 169, 213, 182, 198, 189, 25, 151, 248, 109, 174, 181, 143, 194, 145, 151, 91, 24, 20, 108, 241, 207, 170, 3, 226, 76]), EdwardsPoint{
X: FieldElement51([1898668734245506, 1260599826782178, 735215080225294, 699367638464146, 2019178350260172]),
Y: FieldElement51([1401809545563305, 905691948299552, 632041913180764, 1699897284479201, 1352537725533974]),
Z: FieldElement51([1, 0, 0, 0, 0]),
T: FieldElement51([1120108582023427, 1657369740754767, 1051851098579530, 903210842353603, 1557818474780106])
}))
[DEBUG] kexdhdone.exchange = Exchange { client_id: CryptoVec { p: 0x7f1678008bb0, size: 20, capacity: 32 }, server_id: CryptoVec { p: 0x7f1678008b60, size: 39, capacity: 64 }, client_kex_init: CryptoVec { p: 0x7f16780091e0, size: 617, capacity: 1024 }, server_kex_init: CryptoVec { p: 0x7f167801bb00, size: 1041, capacity: 2048 }, client_ephemeral: CryptoVec { p: 0x7f167801c310, size: 32, capacity: 32 }, server_ephemeral: CryptoVec { p: 0x7f1678002950, size: 32, capacity: 32 } }
[DEBUG] exchange hash: CryptoVec { p: 0x7f1678002980, size: 32, capacity: 32 }
[DEBUG] sig_type: [115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57]
[DEBUG] signature: [58, 101, 78, 230, 225, 189, 100, 6, 245, 32, 184, 190, 251, 195, 168, 114, 192, 90, 54, 136, 211, 117, 5, 111, 255, 20, 187, 161, 89, 107, 254, 67, 232, 84, 120, 239, 242, 249, 138, 218, 201, 205, 50, 165, 240, 120, 212, 182, 20, 128, 125, 41, 206, 145, 232, 100, 151, 46, 19, 179, 86, 248, 62, 15]
[DEBUG] writing, seqn = 2
[DEBUG] padding length 10
[DEBUG] packet_length 12
[DEBUG] reading, len = [0, 0, 0, 12]
[DEBUG] reading, seqn = 2
[DEBUG] reading, clear len = 12
[DEBUG] read_exact 16
[DEBUG] read_exact done
[DEBUG] reading, padding_length 10
[DEBUG] newkeys received
[DEBUG] sending ssh-userauth service requset
[DEBUG] writing, seqn = 3
[DEBUG] padding length 6
[DEBUG] packet_length 24
[DEBUG] write_auth_request_if_needed: is_waiting = false
[DEBUG] reading, len = [144, 64, 88, 9]
[DEBUG] reading, seqn = 3
[DEBUG] reading, clear len = 40
[DEBUG] read_exact 44
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] waiting service request, Some(6) 6
[DEBUG] enc: [0, 0, 0, 54, 50, 0, 0, 0, 6, 117, 98, 117, 110, 116, 117, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 8, 112, 97, 115, 115, 119, 111, 114, 100, 0, 0, 0, 0, 8, 76, 97, 98, 52, 109, 97, 110, 49]
[DEBUG] writing, seqn = 4
[DEBUG] padding length 9
[DEBUG] packet_length 64
[DEBUG] reading, len = [178, 215, 73, 39]
[DEBUG] reading, seqn = 3
[DEBUG] reading, clear len = 40
[DEBUG] read_exact 44
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] waiting service request, Some(6) 6
[DEBUG] enc: [0, 0, 0, 54, 50, 0, 0, 0, 6, 117, 98, 117, 110, 116, 117, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 8, 112, 97, 115, 115, 119, 111, 114, 100, 0, 0, 0, 0, 8, 76, 97, 98, 52, 109, 97, 110, 49]
[DEBUG] writing, seqn = 4
[DEBUG] padding length 9
[DEBUG] packet_length 64
[DEBUG] reading, len = [208, 109, 9, 59]
[DEBUG] reading, seqn = 4
[DEBUG] reading, clear len = 24
[DEBUG] read_exact 28
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] userauth_success
[DEBUG] drop handle
[INFO ] [2023-11-07 11:27:43] (ssh) <10.10.100.11:22> username=ubuntu password=Lab4man1
[DEBUG] disconnected
[DEBUG] drop session
[DEBUG] reading, len = [88, 244, 218, 164]
[DEBUG] reading, seqn = 4
[DEBUG] reading, clear len = 24
[DEBUG] read_exact 28
[DEBUG] read_exact done
[DEBUG] reading, padding_length 6
[DEBUG] userauth_success
[DEBUG] drop handle
[INFO ] [2023-11-07 11:27:43] (ssh) <10.10.100.10:22> username=ubuntu password=Lab4man1
[DEBUG] disconnected
[DEBUG] drop session
[INFO ] runtime 1.000311534s`

for the password list containing multiple passwords:
RUST_LOG=debug ./legba ssh --username ubuntu --password wordlists/passwords-new.txt --target @target.txt -Q
It is too huge so I will upload it as file

debug.log

[evilsocket]

mmm any network timeouts or similar in dmesg? what are the specs of the bruteforcing machine? ethernet or wifi? what if you increase the timeout by --timeout 10000?

PS: thank you for the logs

[bleh92]

Ok so the whole setup is being run using proxmox.
Linux Bruteforcer 5.4.0-166-generic #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

The Machine has 4 GB RAM and 2 core processor and I am accessing the machine over vpn. I myself am using wifi on my computer to connect to them.

For more information

The machines are in the same subnet and can communicate with each other, as I am able to ssh into them from bruteforcer

as for network timeouts in dmesg, there are none

The timeout -10000 it kept running until i stopped it.

[zip609]

Greetings. First of all, I want to express my gratitude to the author, you are great! This is a very cool tool! Unfortunately, I want to inform you that I have exactly the same problem ssh as bleh92. Thank you very much for your work.

[evilsocket]

@zip609 hi! can you try with v0.5.0 and, if the error persists, provide me the debug log by running with RUST_LOG=debug ... please?

[bleh92]

Hallo, I don't know if this helps, but RDP plugin is working fine with the same parameters, there probably is a problem with ssh plugin.

./legba rdp --target 10.10.10.28 --username <user> --password wordlists/passwords-new.txt --rdp-domain <domain.local> -O result --output-format jsonl -Q

But when I remove the -Q flag, it again runs endlessly. Similar to what's happening with the ssh plugin.

[evilsocket]

I'm failing to reproduce it here ... I'm forcing 2 tasks, using a wordlist with 3 passwords and a targets.txt file with one working ip and one down, and as expected I get this:

[bleh92]

I see that you are using version v0.5.1, I have also updated to the latest version, but the error persists.

I will try running it on my local set-up and give you an update tomorrow.

If it runs there without any problems, it has to be an issue within the Datacenter machines i am using.

Edit:

The script is still not working. I had a friend of mine try your tool from his machine. He ran the script on kali and was trying to bruteforce ssh on to an ubuntu machine. They are both connected via NAT, on his VMware workstation pro.
These were the results.

Version info-

Tasks running endlessly-

Using -Q flag-

ssh into the machine-

[evilsocket]

Are you running the tool from within a VM as well? NAT?

[bleh92]

Yes, previously I was running the tool on machines set up in proxmox, since they weren't working, I had a friend of mine, run the tool on his kali machine which is installed in vmware workstation. He tried to bruteforce the ssh credentials of another ubuntu machine in VMware, in the same network/subnet(NAT configuration, Just like your home network with a wireless router, the VM will be assigned in a separate subnet, like 192.168.6.1 is your host computer, and VM is 192.168.6.3, then your VM can access outside network like your host, but no outside access to your VM directly, it's protected.), but was getting the same errors I got when I run it over the machines in proxmox.
Hope I am making sense.

[evilsocket]

Understood, can you send a screenshot of the VMs network configuration (both from the host, so a screenshot of the vmware/virtualbox network config, and from the guests) so I can try to replicate?

[evilsocket]

Also, in the debug.log i see several [DEBUG] Err(Utf8Error { valid_up_to: 48, error_len: Some(1) }) errors ... may I ask if the passwords contain non UTF8 characters, or maybe the ssh server host?

[evilsocket]

i was finally able to replicate this using two VMs, debugging & fix in progress

[evilsocket]

@bleh92 turns out that it is a timeout problem, with few cores (I see 2 in that case) the timeout must be increased. I managed to work around the issue by using --timeout 5000 (or higher). That should solve it for you as well.

Closing for the time being, looking forward to your feedback.

[bleh92]

Hello,
So I used this command
legba ssh --username ubuntu --password wordlists/passwords.txt --target @targets.txt -O result --output-format jsonl --timeout 15000 legba v0.6.0

And again I get the same time out error, but the good news is that with -Q flag it works fine
legba ssh --username ubuntu --password wordlists/passwords.txt --target @targets.txt -O result --output-format jsonl -Q legba v0.6.0

Password list

[bleh92]

Also, in the debug.log i see several [DEBUG] Err(Utf8Error { valid_up_to: 48, error_len: Some(1) }) errors ... may I ask if the passwords contain non UTF8 characters, or maybe the ssh server host?

Ok, so the I think I found the cause for this. So my laptop keyboard seems to be broken. When I create the wordlist using my external keyboard, it worked fine. But when I created the wordlist using the in built keyboard, it failed. Looks like the tab button is being registered sometimes when I use the number keys, pretty weird.
So sorry for the inconvenience.

[evilsocket]

can you send the document that generates the issue? I can try to workaround it anyway

[bleh92]

If you are looking for the password list then here it is. This one has a tab space after the last password.
passwords.txt