[foofus-tools] Medusa SSH Module Issue

Nathan Grandbois ngrandbois at microsolved.com
Wed Aug 20 07:38:13 PDT 2008 

Synopsis:
Medusa SSH scanning module fails after 3 login attempts with the 
following error:
ERROR: Failed to retrieve supported authentication modes. Aborting...
ERROR: No supported authentication methods located.

Environment:
Medusa 1.4, built from source.
libssh0.18, built from source.
Ubuntu 8.04, Linux zanzibar 2.6.24-19-generic #1 SMP Fri Jul 11 23:41:49 
UTC 2008 i686 GNU/Linux
OpenSSH_4.6p1 Debian-5ubuntu0.5, OpenSSL 0.9.8e 23 Feb 2007
CL:
medusa -h ip.address.obfuscated -u root -P 
/path_to_dictionary/words-english-big.dic -M ssh -w 10 -v 6
(Note: I have tried just about every cl option with the same results)

Notes/Additional Details:
GENERAL: Parallel Hosts: 1 Parallel Logins: 1
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Passwords: 235028
DEBUG AUDIT [B7BEA6B0]: [audit] starting new server: 0
DEBUG SERVER [B7916B90]: [startServer] server: 0 iUserPassCnt: 235028 
iLoginCnt: 1
DEBUG SERVER [B7916B90]: [startServer] server: 0 host: 
ip.address.obfuscated user_count: 1 parallel logins: 1
DEBUG SERVER [B7916B90]: [server] set host: ip.address.obfuscated
DEBUG SERVER [B7916B90]: [server] Starting login module: 0
DEBUG SERVER [B7916B90]: iLoginId: 0 modParams.pLogin.iId: 0 pLogin 
B7916370 modParams: 8056100
DEBUG [B7115B90]: startModule iId: 0 pLogin: B7916370 modParams->argv: 
8056008 modParams: 8056100
DEBUG [B7115B90]: Trying module path of .
DEBUG [B7115B90]: Attempting to load ./ssh.mod
DEBUG [B7115B90]: Trying module path of /usr/local/lib/medusa/modules
DEBUG [B7115B90]: Attempting to load /usr/local/lib/medusa/modules/ssh.mod
DEBUG MODULE [B7115B90]: OMG teh ssh.mod module has been called!!
DEBUG MODULE [B7115B90]: [ssh.mod] module started for host: 
ip.address.obfuscated user: 'root'
DEBUG MODULE [B7115B90]: Attempting to set banner: SSH-2.0-MEDUSA_1.0
DEBUG MODULE [B7115B90]: Attempting to initiate SSH session.
DEBUG AUDIT [B7BEA6B0]: [audit] created thread: 0
DEBUG [B7115B90]: Connected (internal)
DEBUG SERVER [B7916B90]: [server] (PARALLEL_LOGINS_PASSWORD) setting 
SAME user: root
DEBUG MODULE [B7115B90]: Id: 0 successfully established connection.
DEBUG MODULE [B7115B90]: Supported user-auth modes: publickey,password.
DEBUG MODULE [B7115B90]: Server support user-auth type: password
DEBUG MODULE [B7115B90]: Password-based authentication failed: : Host: 
ip.address.obfuscated User: root Pass: e4005441234
ACCOUNT CHECK: [ssh] Host: ip.address.obfuscated (1/1) User: root (1/1) 
Password: e4005441234 (1/235028)
INFO: [ssh] Host: ip.address.obfuscated User: root [FAILED]
DEBUG MODULE [B7115B90]: Supported user-auth modes: publickey,password.
DEBUG MODULE [B7115B90]: Server support user-auth type: password
DEBUG MODULE [B7115B90]: Password-based authentication failed: : Host: 
ip.address.obfuscated User: root Pass: e400544
ACCOUNT CHECK: [ssh] Host: ip.address.obfuscated (1/1) User: root (1/1) 
Password: e400544 (2/235028)
INFO: [ssh] Host: ip.address.obfuscated User: root [FAILED]
DEBUG MODULE [B7115B90]: Supported user-auth modes: publickey,password.
DEBUG MODULE [B7115B90]: Server support user-auth type: password
DEBUG MODULE [B7115B90]: Password-based authentication failed: : Host: 
ip.address.obfuscated User: root Pass: e4003451234
ACCOUNT CHECK: [ssh] Host: ip.address.obfuscated (1/1) User: root (1/1) 
Password: e4003451234 (3/235028)
INFO: [ssh] Host: ip.address.obfuscated User: root [FAILED]
DEBUG MODULE [B7115B90]: Supported user-auth modes: publickey,password.
DEBUG MODULE [B7115B90]: Server support user-auth type: password
DEBUG MODULE [B7115B90]: Password-based authentication failed: : Host: 
ip.address.obfuscated User: root Pass: e400345
ACCOUNT CHECK: [ssh] Host: ip.address.obfuscated (1/1) User: root (1/1) 
Password: e400345 (4/235028)
INFO: [ssh] Host: ip.address.obfuscated User: root [FAILED]
ERROR: Failed to retrieve supported authentication modes. Aborting...
ERROR: No supported authentication methods located.
ACCOUNT CHECK: [ssh] Host: ip.address.obfuscated (1/1) User: root (1/1) 
Password: e4008381234 (5/235028)
INFO: [ssh] Host: ip.address.obfuscated User: root [UNKNOWN 1]
DEBUG [B7115B90]: Disconnect successful
DEBUG SERVER [B7916B90]: [0] Login failed, thread is B7115B90
DEBUG SERVER [B7916B90]: Join complete
DEBUG SERVER [B7916B90]: [server] FAILED: iLoginId: 0 iLoginDoneCnt: 1 
iIdleLoginCnt: 0 iLoginCnt: 1
INFO: Exiting Server Module: 0 [All Scheduled Logins for Server Complete]
DEBUG SERVER [B7916B90]: [server] server thread: 0 exiting
DEBUG AUDIT [B7BEA6B0]: [0] Server is done, thread is B7916B90
DEBUG AUDIT [B7BEA6B0]: Join complete
DEBUG AUDIT [B7BEA6B0]: [audit] server thread 0 completed.
GENERAL: [audit] 1 addresses completed.
GENERAL: Medusa has finished.

Conclusions:
IMHO I think that the thread responsible for reconnecting is failing. 
Coincidentally, the number of failed attempts tried by medusa, is equal 
to the number of failed attempts if done manually. I have googled and 
googled for hints on this, but the only one I get is from some guy in 
spanish who said it was a stupid problem that he fixed, without actually 
giving the fix.

Please, any help would be greatly appreciated.

PS> In addition, if I put a successful password in the first three 
passwords attempted, medusa takes a dump with the following error:
*** glibc detected *** medusa: double free or corruption (!prev): 
0x0805aff0 ***
Followed by a backtrace and memory map.

_nathan

-- 
_______________________________________________________________________
Nathan Grandbois, CISSP           ngrandbois at microsolved.com
Security Analyst                  (614) 351-1237 x 212
PGP Key Available by Request
MicroSolved is security expertise you can trust!

HoneyPoint Security Server
Attackers get stung, instead of you!
http://www.microsolved.com/honeypoint

More information about the foofus-tools mailing list