Close ssh session on error

[sjanusz-r7]

This PR ensures that an SSH session dies when it encounters errors. For example, the shell request can fail asynchronously, leading to an SSH session that cannot be interacted with, as was the case with a Windows VM that has installed OpenSSH version 8.1.0.0 with choco install openssh --version 8.1.0-beta1.
As this shell request happens asynchronously, we end up with a session that has been reported as open and that the credential works, but the session then dies afterwards.

This PR also allows for the passing of an error_callback method, allowing us to log out the errors to the user:

➜  metasploit-framework git:(close-ssh-session-on-error) bundle exec ruby ./msfconsole -qx 'run'
[*] 192.168.112.222:22 - Starting bruteforce
[+] 192.168.112.222:22 - Success: 'win10:win10' 'Microsoft Windows 10 Pro 10.0.19045 N/A Build 19045'
[-] SSH Command Stream encountered an error: Shell/exec channel request failed (Server Version: SSH-2.0-OpenSSH_for_Windows_8.1)
[*] SSH session 1 opened (x:49198 -> x:22) at 2024-11-18 17:26:48 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Scan completed, 1 credential was successful.

Successful logins
=================

    Host             Public  Private
    ----             ------  -------
    x                  win10   win10


[*] 1 session was opened successfully.
[*] Auxiliary module execution completed
[*] x - SSH session 1 closed.  Reason: Died

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Ensure that running the ssh_login module vs. a Windows VM with an OpenSSH version newer than 8.1.0.0 works as expected
• Ensure that running the ssh_login module vs. an Ubuntu VM works as expected
• Ensure that running the ssh_login module vs. a Windows VM with an OpenSSH version of 8.1.0.0 makes the session die.

Before

An SSH session is broken but has not been killed. When interacting with it, no data is sent through the shell channel as it has died silently.

After

Session is killed, and an error is logged with the server version if the error_callback is provided as the command stream has no access to print_error itself, so it is passed in.

[jheysel-r7]

Thanks for the fix @sjanusz-r7! Looks great. The only thing that jumped out at me in this PR was the use of if not. I prefer unless, but everyone should be entitled to their own conditional statement proclivities.

Testing was as expected:

Before

The framework reports a sessions was successfully established when in fact it's unusable.

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 172.16.199.135:22 - Starting bruteforce
[+] 172.16.199.135:22 - Success: 'msfuser:notpassword' 'Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763'
[*] SSH session 1 opened (172.16.199.1:63263 -> 172.16.199.135:22) at 2024-12-11 13:06:47 -0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l

Active sessions
===============

  Id  Name  Type           Information    Connection
  --  ----  ----           -----------    ----------
  1         shell windows  SSH jheysel @  172.16.199.1:63263 -> 172.16.199.135:22 (172.16.199.135)

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i -1
[*] Starting interaction with 1...


whoami





^C
Abort session 1? [y/N]

^C
Abort session 1? [y/N]  y

[*] 172.16.199.135 - SSH session 1 closed.  Reason: User exit

After

Older versions of OpenSSH on Windows (8.0.0.0), when a session is established they no longer silently die, an error is thrown as expected:

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 172.16.199.135:22 - Starting bruteforce
[+] 172.16.199.135:22 - Success: 'msfuser:notpassword' 'Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763'
[-] SSH Command Stream encountered an error: Shell/exec channel request failed (Server Version: SSH-2.0-OpenSSH_for_Windows_8.0)
[*] SSH session 1 opened (172.16.199.1:63917 -> 172.16.199.135:22) at 2024-12-11 14:01:33 -0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > [*] 172.16.199.135 - SSH session 1 closed.  Reason: Died

Newer versions of OpenSSH on Windows (9.9.1.1) produce sessions that work as expected.

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 172.16.199.134:22 - Starting bruteforce
[+] 172.16.199.134:22 - Success: 'msfuser:notpassword' 'Microsoft Windows 10 Pro 10.0.19045 N/A Build 19045'
[*] SSH session 4 opened (172.16.199.1:49808 -> 172.16.199.134:22) at 2024-12-11 16:46:49 -0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l

Active sessions
===============

  Id  Name  Type           Information    Connection
  --  ----  ----           -----------    ----------
  4         shell windows  SSH jheysel @  172.16.199.1:49808 -> 172.16.199.134:22 (172.16.199.134)

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i -1
[*] Starting interaction with 4...

Microsoft Windows [Version 10.0.19045.5131]
(c) Microsoft Corporation. All rights reserved.

C:\Users\msfuser>C:\Users\msfuser>dir
 Volume in drive C has no label.
 Volume Serial Number is E8D7-DBC7

 Directory of C:\Users\msfuser

11/06/2024  10:36 AM    <DIR>          .
11/06/2024  10:36 AM    <DIR>          ..
04/29/2024  10:29 AM    <DIR>          .VirtualBox
03/14/2024  08:48 AM    <DIR>          3D Objects
03/14/2024  08:48 AM    <DIR>          Contacts
12/03/2024  11:38 AM    <DIR>          Desktop
12/11/2024  04:32 PM    <DIR>          Documents
10/16/2024  11:16 AM    <DIR>          Downloads
03/14/2024  08:48 AM    <DIR>          Favorites
03/14/2024  08:48 AM    <DIR>          Links
03/14/2024  08:48 AM    <DIR>          Music
03/14/2024  08:57 AM    <DIR>          OneDrive
03/14/2024  08:57 AM    <DIR>          Pictures
03/14/2024  08:48 AM    <DIR>          Saved Games
03/14/2024  08:57 AM    <DIR>          Searches
04/29/2024  12:08 PM    <DIR>          source
07/24/2024  01:17 PM    <DIR>          Videos
               0 File(s)              0 bytes
              17 Dir(s)  15,005,855,744 bytes free

C:\Users\msfuser>

Linux based SSH sessions still work as expected

msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.199.130
rhosts => 172.16.199.130
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 172.16.199.130:22 - Starting bruteforce
[+] 172.16.199.130:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare),141(docker) Linux msfuser-virtual-machine 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov  6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 5 opened (172.16.199.1:49862 -> 172.16.199.130:22) at 2024-12-11 16:51:06 -0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i -1
[*] Starting interaction with 5...


uname -a
Linux msfuser-virtual-machine 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov  6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

[jheysel-r7]

Release Notes

Fixed an issue where an SSH session could sometimes be reported as alive when it has failed to open successfully against Windows running older versions of OpenSSH