Metasploit Release Database of Weak SSH Keys for Debian OpenSSL Vuln

The metasploit guys have released a database of all 1024-bit DSA and 2048-bit RSA SSH public/private keypairs that could have been generated by x86 Debian/Ubuntu hosts vulnerable to the OpenSSL Predictable Random Number Generator flaw.

This opens up the possibility of two practical attacks against weak SSH keys during pentests:

  1. If you can read a user’s home directory and obtain their ~/.ssh/authorized_keys file, you can look up their corresponding private key in the metaspoloit key database and log into their account over SSH.  Nice.
  2. If you find an SSH server that uses a weak key for it’s host key (check if it’s weak using, you can look up the corresponding private SSH host key in the metasploit database, then perform a Man-in-the-Middle attack: when legitimate users attempt to log into the server, you ARP spoof them (or similar) so they’re actually talking to your SSH server.  Your SSH server authenticates itself to the user with the legit server’s private SSH key.  The user believes you’re the legit server and sends their username and password to you over the encrypted channel*.

Well done to the metasploit guys for the quick turn-around.  And also well done the Debian guys for the open and efficient way they’ve dealt with this vulnerability.

* Probably only works if tunneled clear-text password are used.  I haven’t completely through this through, but I’m sure you can do something pretty bad.


Tags: , ,

Posted in Blog