Thursday, 4 April 2013

Simulating an SSH Worm using Python

The topic of SSH Worms came up when I was speaking with a couple of students attending my workshop at Blackhat Europe in Amsterdam last month. One of the students was curious about the iPhone SSH Worm which has been around since 2009 and the technical complexity of writing a worm for academic and research purposes. 

After explaining to him how the worm worked I realized that many think "network worms" are really complex digital beasts and only the super elite blackhats can write them. In reality, nothing could be further away from the truth. The only complex part in most worms is the exploits they use for breaking in (which in most cases might be ripped from sites like exploitdb). The network propagation and replication aspects are quite simple.

I decided to create a "simple worm" demo in Python for demonstration purposes. Why Python? HLLs like Python are easy to understand even by non-programmers as they are very readable by design. 

The SSH worm in question was really using the default password "alpine" on jailbroken phones to break in and propagate. We will take a short detour and instead Bruteforce the SSH password using a word list.

So, if I were to breakup our "demo worm" functionality wise, it would do the following:

1. Scan a new IP address and if SSH is running try and bruteforce the login / password 
2. If the worm succeeds, then upload a copy of itself to the host
3. Run the copy, so it can now scan and do (1)-(3) 

Important: I am not going to give out the whole source code, rather will look at components separately. This is to prevent script kiddies from using the code as is. The video at the end of this post shows a full demo on my lab setup with a couple of victim machines. 

The above steps (1)-(3) can be broken down into just 2 functions:

1. SSHDictionaryAttack()
2. UploadAndExecute()

Now SSH is a complicated protocol and to write the low level transport encryption code will be a pain :) This is where Python is gonna be of help to us. We will be using Paramiko as our SSH Library.

Below is the code for a Dictionary based attack on SSH:

The sample username:password file would be in the following format:

A sample run of the script against a vulnerable SSH installation:


Awesome! Now lets look at once you have a valid SSH username:password, how we would go about implementing UploadAndExecute()


Lets do a quick run of the UploadAndExecute() code:


Awesome! We can see that Payload.py was upload and executed. This end up creating the directory hacked.

Now, one of the issues with Python and using 3rd Party Libraries like Paramiko is that if the worm were to run in the "Python" form then the victim's would need to have Python + Paramiko installed. This is not a very practical expectation. So what do we do? PyInstaller to the rescue!

According to their website: PyInstaller is a program that converts (packages) Python programs into stand-alone executables, under Windows, Linux, Mac OS X, Solaris and AIX. Its main advantages over similar tools are that PyInstaller works with any version of Python since 2.3, it builds smaller executables thanks to transparent compression, it is fully multi-platform, and use the OS support to load the dynamic libraries, thus ensuring full compatibility.

This is exactly what we need! Lets convert both the above scripts to stand-alone executables using Pyinstaller as below:


Fantastic! Remember to use the "--onefile" option!  Now let me bring together the above components into one script and call it SSH-Worm-Demo.py! Sorry I cannot share the source code for fear of abuse, but if you've understood the above code samples, I am sure you understand how the code works. Basically SSH-Worm-Demo.py does the following:

  • Figures out the subnet IP addresses and scans for SSH services
  • Launched the Dictionary Attack on an SSH Service
  • Uploads and Executes a copy on the victim if it manages to break in
  • All files are created in the /tmp/ folder by the worm
  • It calls "wall" with the word "hacked" so that it can be displayed on the terminal
  • I've used Pyinstaller to convert SSH-Worm-Demo.py into a single executable file ssh-worm

I've setup 4 Ubuntu 12.04 Server machines as victims. Before I run the worm, this is how the /tmp looks like on each of them:


I run the worm from Victim-1 and very soon you see  the "Hacked" messages appear on all terminals:


As this is a simple demo code, I am not checking if the worm has already infected the machine and hence we are having duplicate infections :) Below is a screenshot of the /tmp as the infection spreads:


As you can see, every new infection creates a new executable file (the green ones with random names) and *.wall file.

Below is a short video demo of the same:





Awesome! Worm behavior simulated with Python!

If you are interested in learning how to use Python for Pentesting then please have a look at our SecurityTube Python Scripting Expert course. This course is ideal for penetration testers, security enthusiasts and network administrators who want to learn to automate tasks or go beyond just using ready made tools. We will be covering topics in system security, network security, attacking web applications and services, exploitation techniques, malware and binary analysis and task automation.We have students from 73+ countries taking this course already!




1 comment:

  1. thanks a lot, very very interesting ... I'll try it right now.

    ReplyDelete