SSH-Snake's approach to output is quite simple and consists of the following:
- Print where we are,
- Print any keys found,
- Print any exceptional information.
A normal output will look something like this:
(1) [1704020277]jrogers@10.128.0.25
(2) [1704020277]jrogers@(10.128.0.25)
(3) [1704020277]jrogers@10.128.0.25: Discovered usable private key in [/home/jrogers/.ssh/id_rsa]
(4) [1704020277]jrogers@10.128.0.25: EXTERNAL_MSG: KEY[/home/jrogers/.ssh/id_rsa]: LS0tLS1CRUdJTiBPUE[...]
(5) [1704020278]jrogers@10.128.0.25: Discovered unusable private key in [/home/jrogers/.ssh/protected]
(6) [1704020278]jrogers@10.128.0.25: EXTERNAL_MSG: KEY[/home/jrogers/.ssh/protected]: LS0tLS1CRUdJTiB[...]
(7) [1704020278]jrogers@10.128.0.25: EXTERNAL_MSG: INFO: Beginning with 12 dests and 1 keys
(8) [1704020279] jrogers@10.128.0.25[!/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.25
(9) [1704020279] jrogers@(10.128.0.25)[!/home/jrogers/.ssh/id_rsa]->jrogers@(10.128.0.25)
(10) [1704020279] jrogers@10.128.0.25[!/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.27
(11) [1704020279] jrogers@(10.128.0.25)[!/home/jrogers/.ssh/id_rsa]->jrogers@(10.128.0.27)
(12) [1704020277] jrogers@10.128.0.25[!/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.27: Discovered usable private key in [/home/jrogers/.ssh/id_rsa]
....
Every line is prepended with the UNIX epoch time.
Going through each line one by one, the purpose of each line is explained respectively:
- The current destination (
user@host
) in the so-called "hosts chain" format. This destination address is the exact address that was used tossh
to (ssh -i key user@host
). - The current destination (
user@(host)
) in the so-called "hostnames chain" format. This format identifies a system based on all of its addresses. For example, a system with three IPv4 addresses corresponds touser@(ip1:ip2:ip3)
where eachip
is the IPv4 address. This format of destination is a clear indicator of the system and is used to ensure scanning of duplicate systems does not occur (such that connecting to a secondary address does not trigger a duplicate scan for a system that has already been scanned). - A private key that can be used (no passphrase or permission issue) has been discovered in
/home/jrogers/.ssh/id_rsa
. - The contents of the private key discovered in
/home/jrogers/.ssh/id_rsa
in base64 format. - A private key that cannot be used (either a passphrase or some type of permission issue) has been discovered in
/home/jrogers/.ssh/protected
. - The contents of the private key discovered in
/home/jrogers/.ssh/protected
in base64 format. - 1 usable key and 12 destination addresses have been discovered on the system. The script will now try to connect to those 12 addresses using the 1 key.
jrogers@10.128.0.25
has connected tojrogers@10.128.0.25
using the/home/jrogers/.ssh/id_rsa
key. The!
at the beginning of the key location indicates thatsudo
was used.- The "hostnames chain" format of the above.
jrogers@10.128.0.25
has connected tojrogers@10.128.0.27
using the/home/jrogers/.ssh/id_rsa
key.- The "hostnames chain" format of the above.
- A private key that can be used has been discovered in
/home/jrogers/.ssh/id_rsa
.
Again: each of these lines are indicative of normal output.
There are some exceptional cases which are related to error conditions and the custom_cmds option:
Examples of these exception cases are listed below:
(1) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->git@20.205.243.166 [GitHub]
(2) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.50.50 [GitLab]
(3) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [NoLogin]
(4) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [OoM]
(5) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [ConnErr]
(6) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [fail,aws,ubuntu]
(7) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [fail,cmd,awk]
(8) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [ARGLIMIT:1048576, abcdef...]
(9) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30: EXTERNAL_MSG: CMD[uname]: abcdef..."
(10) [1704020279] jrogers@10.128.0.25[/home/jrogers/.ssh/id_rsa]->jrogers@10.128.0.30 [line]: abcdef..
Each of these indicate:
- The
/home/jrogers/.ssh/id_rsa
key can be used to SSH togit@20.205.243.166
, which is a server identifying itself as GitHub. - The
/home/jrogers/.ssh/id_rsa
key can be used to SSH tojrogers@10.128.50.50
, which is a GitLab server. - The
/home/jrogers/.ssh/id_rsa
key can be used to SSH tojrogers@10.128.0.30
, but the user is restricted to/usr/sbin/nologin
(meaning the SSH connection is likely used only for proxying). - The destination
jrogers@10.128.0.30
has run of memory during script execution. - The destination
jrogers@10.128.0.30
has unexpectedly disconnected. - The destination
jrogers@10.128.0.30
is an AWS EC2 instance which accepts the/home/jrogers/.ssh/id_rsa
key but does not allow SSH to thejrogers
user: instead, you must SSH to theubuntu
user. If the retry_count option is greater than 0, the script will automatically attempt to SSH toubuntu@10.128.0.30
. - The destination
jrogers@10.128.0.30
accepts the key but the script cannot run because theawk
program is not installed on the system. - Either
jrogers@10.128.0.25
orjrogers@10.128.0.30
has experienced a fatal error: the argument limit length has been reached, which means that the script cannot be passed via an argument. The argument limit is1048576
. The so-calledignore_list
(containing all of the destinations already scanned and currently being scanned) is also printed in base64 format. - The custom command
uname
has been run onjrogers@10.128.0.30
due to it being set in thecustom_cmds
option, and the output of the command (including stderr) is printed in base64 format. - The destination
jrogers@10.128.0.30
has printed an unexpected output. The output is printed after[line]:
. Alternatively, it may also mean thatssh
onjrogers@10.128.0.25
has printed an unexpected output while usingssh -i key jrogers@10.128.0.30
.
A few more procedural lines are also printed:
(1) [1702897342] jrogers@10.128.0.30: EXTERNAL_MSG: INFO: Trying again with 2 dests and 4 keys (attempts left: 0)
(2) 12 destinations (from 10 unique servers) added to interesting_dests.
(3) Unique private keys discovered: 8
(4) Unique shell accounts accessed: 10
(5) Unique servers accessed: 5
- Either 2 recoverable errors have been encountered such that the destinations where the errors occurs will be tried again, or the use_find_from_ignore_list option has been enabled and the script is attempting to SSH into any destinations from the ignore list (and thus the new destinations are being tried).
- The use_retry_all_dests options has been enabled and the script is going to re-run the scan completely with 12 destinations, corresponding to 10 unique systems (user1@host and user2@host are one system).
- At the complete end of the scan, this identifies the total amount of private keys discovered during the scan.
- At the complete end of the scan, this identifies the total amount of destinations (
user@host
) that have been accessed. - At the complete end of the scan, this identifies the total amount of systems (based on the hostnames chain format) that have been accessed.