Fix ssh login pubkey module

Author: dwelch-r7

Gemfile

@@ -3,6 +3,8 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'
 
+gem 'metasploit-credential', git: 'https://github.com/dwelch-r7/metasploit-credential', branch: 'fix-private-key-missing-fingerprint'
+
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
   # code coverage for tests

Gemfile.lock

@@ -1,3 +1,23 @@
+GIT
+  remote: https://github.com/dwelch-r7/metasploit-credential
+  revision: 6edcd13a7553706a3da0128d7c2dff8291f201a8
+  branch: fix-private-key-missing-fingerprint
+  specs:
+    metasploit-credential (6.0.17)
+      bigdecimal
+      csv
+      drb
+      metasploit-concern
+      metasploit-model
+      metasploit_data_models (>= 5.0.0)
+      mutex_m
+      net-ssh
+      pg
+      railties
+      rex-socket
+      rubyntlm
+      rubyzip
+
 PATH
   remote: .
   specs:
@@ -43,7 +63,6 @@ PATH
       lru_redux
       metasm
       metasploit-concern
-      metasploit-credential
       metasploit-model
       metasploit-payloads (= 2.0.221)
       metasploit_data_models (>= 6.0.7)
@@ -327,20 +346,6 @@ GEM
       mutex_m
       railties (~> 7.0)
       zeitwerk
-    metasploit-credential (6.0.16)
-      bigdecimal
-      csv
-      drb
-      metasploit-concern
-      metasploit-model
-      metasploit_data_models (>= 5.0.0)
-      mutex_m
-      net-ssh
-      pg
-      railties
-      rex-socket
-      rubyntlm
-      rubyzip
     metasploit-model (5.0.4)
       activemodel (~> 7.0)
       activesupport (~> 7.0)
@@ -669,6 +674,7 @@ DEPENDENCIES
   fivemat
   license_finder (= 5.11.1)
   memory_profiler
+  metasploit-credential!
   metasploit-framework!
   octokit
   pry-byebug

lib/metasploit/framework/login_scanner/ssh.rb

@@ -68,6 +68,7 @@ def attempt_login(credential)
               :key_data      => credential.private,
             )
           end
+          opt_hash[:passphrase] = cred_details.password
 
           result_options = {
             credential: credential

lib/msf/core/auxiliary/report_summary.rb

@@ -120,7 +120,7 @@ def create_credential_and_login(credential_data)
       # @param [Msf::Sessions::<SESSION_CLASS>] sess
       # @return [Msf::Sessions::<SESSION_CLASS>]
       def start_session(obj, info, ds_merge, crlf = false, sock = nil, sess = nil)
-        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
 
         result = super
         @report[rhost] ||= {}

metasploit-framework.gemspec

@@ -67,7 +67,7 @@ Gem::Specification.new do |spec|
   # Metasploit::Concern hooks
   spec.add_runtime_dependency 'metasploit-concern'
   # Metasploit::Credential database models
-  spec.add_runtime_dependency 'metasploit-credential'
+  # spec.add_runtime_dependency 'metasploit-credential'
   # Database models shared between framework and Pro.
   spec.add_runtime_dependency 'metasploit_data_models', '>= 6.0.7'
   # Things that would normally be part of the database model, but which

modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb

@@ -177,17 +177,20 @@ def run_host(ip)
       case result.status
       when Metasploit::Model::Login::Status::SUCCESSFUL
         print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
-        credential_core = create_credential(credential_data)
-        credential_data[:core] = credential_core
-        create_credential_login(credential_data)
-        tmp_key = result.credential.private
-        ssh_key = SSHKey.new tmp_key
+        ssh_key = Net::SSH::KeyFactory.load_data_private_key(credential_data[:private_data], datastore['key_pass'], false)
+
+        begin
+          credential_core = create_credential(credential_data)
+          credential_data[:core] = credential_core
+          create_credential_login(credential_data)
+        rescue ::StandardError => e
+          print_error("Failed to create credential: #{e.class} #{e}")
+          credential_core = nil
+        end
+
         if datastore['CreateSession']
-          if credential_core.is_a? Metasploit::Credential::Core
-            session_setup(result, scanner, ssh_key.fingerprint, credential_core.private_id)
-          else
-            session_setup(result, scanner, ssh_key.fingerprint, nil)
-          end
+          cred_id = credential_core.is_a?(Metasploit::Credential::Core) ? credential_core.private_id : nil
+          session_setup(result, scanner, ssh_key.public_key.fingerprint, cred_id)
         end
         if datastore['GatherProof'] && scanner.get_platform(result.proof) == 'unknown'
           msg = "While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with"
@@ -224,7 +227,7 @@ class KeyCollection < Metasploit::Framework::CredentialCollection
 
     # Override CredentialCollection#has_privates?
     def has_privates?
-      !@key_data.empty?
+      @key_data.present?
     end
 
     def realm
@@ -235,49 +238,62 @@ def valid?
       @error_list = []
       @key_data = Set.new
 
-      unless @private_key.present? || @key_path.present?
+      if @private_key.present?
+        results = validate_private_key(@private_key)
+      elsif @key_path.present?
+        results = validate_key_path(@key_path)
+      else
+        @error_list << "No key path or key provided"
         raise RuntimeError, "No key path or key provided"
       end
 
-      if @key_path.present?
-        if File.directory?(@key_path)
-          @key_files ||= Dir.entries(@key_path).reject { |f| f =~ /^\x2e|\x2epub$/ }
-          @key_files.each do |f|
-            begin
-              data = read_key(File.join(@key_path, f))
-              @key_data << data if valid_key?(data)
-            rescue StandardError => e
-              @error_list << "#{File.join(@key_path, f)}: #{e}"
-            end
-          end
-        elsif File.file?(@key_path)
-          begin
-            data = read_key(@key_path)
-            @key_data << data if valid_key?(data)
-          rescue StandardError => e
-            @error_list << "#{@key_path} could not be read, #{e}"
-          end
-        else
-          raise RuntimeError, "Invalid key path"
-        end
+      if results[:key_data].present?
+        @key_data.merge(results[:key_data])
+      else
+        @error_list.concat(results[:error_list]) if results[:error_list].present?
       end
 
-      if @private_key.present?
-        data = Net::SSH::KeyFactory.load_data_private_key(@private_key, @password, false).to_s
-        if valid_key?(data)
-          @key_data << data
-        else
-          raise RuntimeError, "Invalid private key"
+      @key_data.present?
+    end
+
+    def validate_private_key(private_key)
+      key_data = Set.new
+      error_list = []
+      begin
+        if Net::SSH::KeyFactory.load_data_private_key(private_key, @password, false).present?
+          key_data << private_key
         end
+      rescue StandardError => e
+        error_list << "Error validating private key: #{e}"
       end
-
-      !@key_data.empty?
+      {key_data: key_data, error_list: error_list}
     end
 
-    def valid_key?(key_data)
-      !!(key_data.match(/BEGIN [RECD]SA PRIVATE KEY/) && !key_data.match(/Proc-Type:.*ENCRYPTED/))
+    def validate_key_path(key_path)
+      key_data = Set.new
+      error_list = []
+
+      if File.file?(key_path)
+        key_files = [key_path]
+      elsif File.directory?(key_path)
+        key_files = Dir.entries(key_path).reject { |f| f =~ /^\x2e|\x2epub$/ }.map { |f| File.join(key_path, f) }
+      else
+        return {key_data: nil, error: "#{key_path} Invalid key path"}
+      end
+
+      key_files.each do |f|
+        begin
+          if read_key(f).present?
+            key_data << File.read(f)
+          end
+        rescue StandardError => e
+          error_list << "#{f}: #{e}"
+        end
+      end
+      {key_data: key_data, error_list: error_list}
     end
 
+
     def each
       prepended_creds.each { |c| yield c }
 
@@ -307,7 +323,7 @@ def each_key
 
     def read_key(file_path)
       @cache ||= {}
-      @cache[file_path] ||= Net::SSH::KeyFactory.load_data_private_key(File.read(file_path), password, false, key_path).to_s
+      @cache[file_path] ||= Net::SSH::KeyFactory.load_private_key(file_path, password, false)
       @cache[file_path]
     end
   end