sshmitm.tutorial.tutorials.pubkey_enumeration package
Tutorial: SSH Key Enumeration — user validity oracle (CVE-2016-20012).
- class sshmitm.tutorial.tutorials.pubkey_enumeration.PubkeyEnumerationTutorial
Bases:
Tutorial- category: ClassVar[str] = 'Reconnaissance'
- description: ClassVar[str] = 'Learn how to query the SSH user validity oracle (CVE-2016-20012) to discover which keys grant access to which servers using ssh-mitm check-publickey.'
- direct_targets: ClassVar[dict[str, type[Host]]] = {'database': <class 'sshmitm.tutorial.hosts.logfile_inc.db01.DB01'>, 'logfilegit': <class 'sshmitm.tutorial.hosts.logfile_inc.logfilegit.LogfileGit'>, 'web': <class 'sshmitm.tutorial.hosts.logfile_inc.web01.Web01'>}
- docs: ClassVar[dict[str, str]] = {'Authentication': 'https://docs.ssh-mitm.at/audit_guide/authentication.html', 'CVE-2016-20012': 'https://docs.ssh-mitm.at/vulnerabilities/CVE-2016-20012.html', 'Logfile Inc. Assessment': 'https://docs.ssh-mitm.at/get_started/scenario.html'}
- id: ClassVar[str] = '06-pubkey-enumeration'
- lab_service_labels: ClassVar[dict[str, str]] = {'database_port': 'db01.logfileinc.internal', 'git_server_url': 'LogfileGit', 'web_port': 'web01.logfileinc.internal'}
- proxy_target: ClassVar[type[Host] | None] = None
- requires: ClassVar[list[Requirement]] = [<sshmitm.tutorial._requirements.RandomKeyPair object>, <sshmitm.tutorial._requirements.RandomKeyPair object>, <sshmitm.tutorial._requirements.RandomKeyPair object>, <sshmitm.tutorial._requirements.RegisterPublicKeys object>]
- scenario
alias of
LogfileIncScenario
- steps: list[Step] = [Step(id='intro', title='What you will learn', content='', condition=<sshmitm.tutorial._conditions.TRUE object>, victim_action=None, command=None, copyable=[], hint_waiting='', hint_done='Introduction read. ✓'), Step(id='explore-gitlab', title='Explore LogfileGit', content='', condition=<sshmitm.tutorial._conditions.TRUE object>, victim_action=None, command=None, copyable=[], hint_waiting='', hint_done='Profile explored. ✓'), Step(id='enumerate', title='Find the key valid on the web server', content='', condition=<sshmitm.tutorial._conditions.UserInput object>, victim_action=None, command='ssh-mitm check-publickey --host {web_address} --port {web_port} --username mmorgan --public-keys {git_server_url}/mmorgan.keys', copyable=[], hint_waiting='Run check-publickey and enter the SHA256 fingerprint of the valid key above.', hint_done="Correct! You mapped mmorgan's access to the web server. ✓")]
- tags: ClassVar[list[str]] = ['CVE-2016-20012', 'Public Key', 'Lateral Movement']
- title: ClassVar[str] = 'SSH Key Enumeration'
- victim
alias of
MaxMorgan