Skip to content

ssh_identify_pubkeys -> ssh_key_login#21450

Open
g0tmi1k wants to merge 21 commits into
rapid7:masterfrom
g0tmi1k:ssh_identify_pubkeys
Open

ssh_identify_pubkeys -> ssh_key_login#21450
g0tmi1k wants to merge 21 commits into
rapid7:masterfrom
g0tmi1k:ssh_identify_pubkeys

Conversation

@g0tmi1k
Copy link
Copy Markdown
Contributor

@g0tmi1k g0tmi1k commented May 13, 2026
edited
Loading

This PR gets ssh_identify_pubkeys working:

  • In its current state, a successful login, with database, will crash the module
  • In its current state, KEY_DIR doesn't work
  • In its current state, only legacy OpenSSH key formats are supported
  • Add CHECK_SUPPORTED_KEYS support, to see what the server accepts rather than trying everything
  • More efficient checking (Load all keys once, check all keys for a user etc)
  • Switch to SHA256 fingerprints
  • Add report_vuln()
  • Add GatherProof - just like ssh_login
  • Add CreateSession - just like ssh_login
  • Add Msf::Auxiliary::ReportSummary - just like ssh_login
  • Update module metadata
  • Consistence with how loot and keys are with other modules

Target is Metasploitable 2.

        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  1      1         0      0      2      1
After : *        default  1      2         2      4      9      13

Setup

Going to generate a range of SSH keys. There will be always 2 types, *_1 (not added/invalided) & *_2 (added/valid).

$ mkdir -pv /tmp/testkeys/; cd /tmp/testkeys/
mkdir: created directory '/tmp/testkeys/'
$ 
$ ssh-keygen -t rsa -b 1024 -N "" -f rsa_1024_1; ssh-keygen -t rsa -b 1024 -N "" -f rsa_1024_2
[...]
$ ssh-keygen -t rsa -b 2048 -N "" -f rsa_2048_1; ssh-keygen -t rsa -b 2048 -N "" -f rsa_2048_2
[...]
$ ssh-keygen -t rsa -b 4096 -N "" -f rsa_4096_1; ssh-keygen -t rsa -b 4096 -N "" -f rsa_4096_2
[...]
$ ssh-keygen -t rsa -b 2048 -N "" -m PEM -f rsa_2048_legacy_1; ssh-keygen -t rsa -b 2048 -N "" -m PEM -f rsa_2048_legacy_2
[...]
$ ssh-keygen -t rsa         -N "" -f tmp_1; ssh-keygen -t rsa              -N "" -f tmp_2; rm -v tmp_{1,2};
[...]    
$ ssh-keygen -t ecdsa       -N "" -f ecdsa_1; ssh-keygen -t ecdsa       -N "" -f ecdsa_2
[...]    
$ ssh-keygen -t ed25519     -N "" -f ed25519_1; ssh-keygen -t ed25519     -N "" -f ed25519_2
[...]
$ echo "hello world" > foo
$
$ ls *_2.pub
ecdsa_2.pub  ed25519_2.pub  rsa_1024_2.pub  rsa_2048_2.pub  rsa_2048_legacy_2.pub  rsa_4096_2.pub  tmp_2.pub
$ cat *_2.pub
[...]
$

Then will add the SSH keys to the target:

$ ssh1 msfadmin@10.0.0.10
/etc/ssh/ssh_config line 52: Unsupported option "gssapiauthentication"
msfadmin@10.0.0.10's password: msfadmin
[...]
msfadmin@metasploitable:~$ cd .ssh/
msfadmin@metasploitable:~/.ssh$ cat <<EOF > authorized_keys
[...output from `$ cat *_2.pub`...]
EOF
msfadmin@metasploitable:~$ chmod -v 0600 authorized_keys
mode of `authorized_keys' changed to 0600 (rw-------)
msfadmin@metasploitable:~$

Quick test

$ ssh1 -i rsa_1024_2 msfadmin@10.0.0.10
/etc/ssh/ssh_config line 52: Unsupported option "gssapiauthentication"
[...]
msfadmin@metasploitable:~$

Before

  • All testing was done using master branch
  • Would silent fail if there wasn't a username
  • KEY_DIR requires a KEY_FILE, thus doesn't ever trigger - and it looks "hidden"
  • Module crashes when login was successful
  • Workspace only would get updated if successful result
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/ssh/ssh_identify_pubkeys;
set RHOSTS 10.0.0.10;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10

Module options (auxiliary/scanner/ssh/ssh_identify_pubkeys):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   KEY_FILE                           yes       Filename of one or several cleartext public keys.
   RHOSTS            10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run RPORT=9999
[-] Msf::OptionValidateError One or more options failed to validate: KEY_FILE.
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run RPORT=9999 KEY_FILE=/tmp/testkeys/rsa_1024_2
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > 
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > 
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run RPORT=9999 KEY_FILE=/tmp/testkeys/rsa_1024_2 USERNAME=msfadmin
[-] 10.0.0.10:9999 SSH - No valid keys found
[-] 10.0.0.10:9999 SSH - No valid keys found
[-] 10.0.0.10:9999 SSH - No valid cleartext keys found
[*] 10.0.0.10:9999 SSH - Trying 0 cleartext key per user.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run RPORT=9999 KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[*] 10.0.0.10:9999 SSH - Trying 1 cleartext key per user.
[-] 10.0.0.10:9999 SSH - Could not connect
[-] 10.0.0.10:9999        - [1/1] - Bruteforce cancelled against this service.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run RPORT=21 KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[*] 10.0.0.10:21 SSH - Trying 1 cleartext key per user.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[*] 10.0.0.10:22 SSH - Trying 1 cleartext key per user.
[+] 10.0.0.10:22          - [1/1] - Public key accepted: 'msfadmin' with key '6d:5d:df:2c:e6:5e:dd:a6:db:0d:84:4d:7d:bc:4a:19' (Private Key: Yes)
[-] Auxiliary failed: NoMethodError undefined method `[]' for an instance of OpenSSL::PKey::RSA
[-] Call stack:
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:312:in `do_report'
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:275:in `block in do_login'
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:202:in `each'
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:202:in `each_with_index'
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:202:in `do_login'
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:376:in `block in run_host'
[-]   /usr/share/metasploit-framework2/lib/msf/core/auxiliary/auth_brute.rb:321:in `block in each_user_pass'
[-]   /usr/share/metasploit-framework2/lib/msf/core/auxiliary/auth_brute.rb:289:in `each'
[-]   /usr/share/metasploit-framework2/lib/msf/core/auxiliary/auth_brute.rb:289:in `each_user_pass'
[-]   /usr/share/metasploit-framework2/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb:375:in `run_host'
[-]   /usr/share/metasploit-framework2/lib/msf/core/auxiliary/scanner.rb:130:in `block (2 levels) in run'
[-]   /usr/share/metasploit-framework2/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      2      1

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > se
[-] Unknown command: se. Did you mean set? Run the help command for more details.
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  22    tcp          open         {}

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > loot

Loot
====

host       service  type                                name                  content                   info  path
----       -------  ----                                ----                  -------                   ----  ----
10.0.0.10           host.unix.ssh.msfadmin_rsa_public   msfadmin_rsa.pub      application/octet-stream        /home/kali/.msf4/loot/20260526223848_default_10.0.0.10_host.unix.ssh.ms_767947.pub
10.0.0.10           host.unix.ssh.msfadmin_rsa_private  msfadmin_rsa.private  application/octet-stream        /home/kali/.msf4/loot/20260526223848_default_10.0.0.10_host.unix.ssh.ms_270923.bin

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type                    Data
 ----                     ----       -------  ----  --------  ----                    ----
 2026-05-26 21:38:48 UTC  10.0.0.10           22    tcp       ssh.publickey.accepted  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIwliRlyg+ZA5R4GmRNHu9i8UyuzIiJdB5P8/8a1SwrjjXvQ
                                                                                      TOjEgXOnw/kMygqAyNlMbSyHj7nUxL5xjLloDmeop9yMCqbVLQ4cV8xmTBQ//ezxYKYAubHa8qRD/aKB3A1s+gI+nkDfRvfzLzYV5SSUoNXKAv93iAn2Clj8
                                                                                      Mr/Rrt81Te3SatvGjdDpu1ke46wwJ+HXBlQXbPa/9IIsT6iJw5RMnr4FaxpvxZPp1evQMjXzYuDWlLlR3HButaRz7CLUeIgQ1ZJwsvCORCnQ25RSjCYho96w
                                                                                      rEioqASc9UUBBGMDeAligv1euoClvaOPHIAgf1D0yrK4l+Pu4wPxfb", :private_key=>"Yes", :info=>""}

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > advanced

Module advanced options (auxiliary/scanner/ssh/ssh_identify_pubkeys):

   Name                  Current Setting                          Required  Description
   ----                  ---------------                          --------  -----------
   KEY_DIR                                                        no        Directory of several keys. Filenames must not begin with a dot in order to be read.
   MaxGuessesPerService  0                                        no        Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
   MaxGuessesPerUser     0                                        no        Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services
                                                                            , so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set
                                                                            to zero or a non-number, this option will not be used.
   MaxMinutesPerService  0                                        no        Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
   PASSWORD_SPRAY        false                                    yes       Reverse the credential pairing order. For each password, attempt every possible user.
   REMOVE_PASS_FILE      false                                    yes       Automatically delete the PASS_FILE on module completion
   REMOVE_USERPASS_FILE  false                                    yes       Automatically delete the USERPASS_FILE on module completion
   REMOVE_USER_FILE      false                                    yes       Automatically delete the USER_FILE on module completion
   SSH_BYPASS            false                                    no        Verify that authentication was not bypassed when keys are found
   SSH_DEBUG             false                                    no        Enable SSH debugging output (Extreme verbosity!)
   SSH_IDENT             SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3  yes       SSH client identification string
   SSH_KEYFILE_B64                                                no        Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.
   SSH_TIMEOUT           30                                       no        Specify the maximum time to negotiate a SSH session
   SSLKeyLogFile                                                  no        The SSL key log file
   ShowProgress          true                                     yes       Display progress messages during a scan
   ShowProgressPercent   10                                       yes       The interval in percent that progress should be shown
   TRANSITION_DELAY      0                                        no        Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
   WORKSPACE                                                      no        Specify the workspace for this module


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/ssh_identify_pubkeys) > run KEY_DIR=/tmp/testkeys/
[-] Msf::OptionValidateError One or more options failed to validate: KEY_FILE.
msf auxiliary(scanner/ssh/ssh_identify_pubkeys) >

After

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/ssh/ssh_key_login;
set RHOSTS 10.0.0.10;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10

Module options (auxiliary/scanner/ssh/ssh_key_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   CreateSession     true             no        Create a new session for every successful login
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   KEY_DIR                            no        Directory of SSH public or unencrypted private key files (dot-prefixed filenames are ignored)
   KEY_FILE                           no        File containing one or more SSH public or unencrypted private keys
   RHOSTS            10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > run RPORT=9999
[-] Please set KEY_FILE or KEY_DIR (or SSH_KEYFILE_B64)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > run RPORT=9999 KEY_FILE=/tmp/testkeys/rsa_1024_2
[-] Please set USERNAME or USER_FILE
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > run RPORT=9999 KEY_FILE=/tmp/testkeys/rsa_1024_2 USERNAME=msfadmin
[*] Converting modern OpenSSH key to public key blob: rsa_1024_2
[*] Loaded 1 cleartext key
[-] 10.0.0.10:9999 - Could not connect
[-] Bruteforce cancelled against this service.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > run RPORT=9999 KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[*] No conversion needed: rsa_2048_legacy_2
[*] Loaded 1 cleartext key
[-] 10.0.0.10:9999 - Could not connect
[-] Bruteforce cancelled against this service.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > run RPORT=21 KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[*] No conversion needed: rsa_2048_legacy_2
[*] Loaded 1 cleartext key
[*] 10.0.0.10:21 - Could not determine supported key types (execution expired), trying all
[-] 10.0.0.10:21 - Could not connect
[-] Bruteforce cancelled against this service.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/ssh/ssh_key_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf auxiliary(scanner/ssh/ssh_key_login) > services
Services
========

host       port  proto  name  state  info                resource  parents
----       ----  -----  ----  -----  ----                --------  -------
10.0.0.10  21    tcp          open   220 (vsFTPd 2.3.4)  {}

msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_key_login) > run KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[*] No conversion needed: rsa_2048_legacy_2
[*] Loaded 1 cleartext key
[*] 10.0.0.10:22 - SSH banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] 10.0.0.10:22 - Supported key types: ssh-rsa, ssh-dss
[+] 10.0.0.10:22 - [1/1] rsa_2048_legacy_2: accepted for msfadmin (SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs) - Private Key: Yes 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)'
[+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] SSH session 1 opened (10.0.0.1:41357 -> 10.0.0.10:22) at 2026-05-26 22:59:51 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         2      1      2      4

msf auxiliary(scanner/ssh/ssh_key_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf auxiliary(scanner/ssh/ssh_key_login) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    tcp   open                                          {}
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)

msf auxiliary(scanner/ssh/ssh_key_login) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                                    References
---------                ----       -------       --------  ----                                    ----------
2026-05-26 21:59:50 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Authorized Key Accepted             ATT&CK-T1021.004
2026-05-26 21:59:51 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Authorized Key Login Check Scanner  ATT&CK-T1021.004

msf auxiliary(scanner/ssh/ssh_key_login) > creds
Credentials
===========

id   host       origin     service       public    private                                          realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------                                          -----  ------------  ----------  ----------------
579  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  6d:5d:df:2c:e6:5e:dd:a6:db:0d:84:4d:7d:bc:4a:19         SSH key

msf auxiliary(scanner/ssh/ssh_key_login) > lo
[-] Unknown command: lo. Did you mean log? Run the help command for more details.
msf auxiliary(scanner/ssh/ssh_key_login) > loot

Loot
====

host       service  type                name                 content     info                                                path
----       -------  ----                ----                 -------     ----                                                ----
10.0.0.10           ssh.publickey.rsa   msfadmin_id_rsa.pub  text/plain  SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs  /home/kali/.msf4/loot/20260526225950_default_10.0.0.10_ssh.publickey.rs_468112.txt
10.0.0.10           ssh.privatekey.rsa  msfadmin_id_rsa      text/plain  SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs  /home/kali/.msf4/loot/20260526225950_default_10.0.0.10_ssh.privatekey.r_449006.txt

msf auxiliary(scanner/ssh/ssh_key_login) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type               Data
 ----                     ----       -------  ----  --------  ----               ----
 2026-05-26 21:59:50 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe            {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-26 21:59:50 UTC  10.0.0.10  ssh      22    tcp       ssh.hostkey        {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}
 2026-05-26 21:59:50 UTC  10.0.0.10  tcp      22    tcp       ssh.accepted_keys  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIwliRlyg+ZA5R4GmRNHu9i8UyuzIiJdB5P8/8a1SwrjjXvQTOjEg
                                                                                 XOnw/kMygqAyNlMbSyHj7nUxL5xjLloDmeop9yMCqbVLQ4cV8xmTBQ//ezxYKYAubHa8qRD/aKB3A1s+gI+nkDfRvfzLzYV5SSUoNXKAv93iAn2Clj8Mr/Rrt81Te
                                                                                 3SatvGjdDpu1ke46wwJ+HXBlQXbPa/9IIsT6iJw5RMnr4FaxpvxZPp1evQMjXzYuDWlLlR3HButaRz7CLUeIgQ1ZJwsvCORCnQ25RSjCYho96wrEioqASc9UUBBGM
                                                                                 DeAligv1euoClvaOPHIAgf1D0yrK4l+Pu4wPxfb", :private_key=>true}
 2026-05-26 21:59:50 UTC  10.0.0.10  tcp      22    tcp       ssh.proof          {:credential=>"msfadmin:SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs", :id=>"uid=1000(msfadmin) gid=1000(msfadmin) grou
                                                                                 ps=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(samb
                                                                                 ashare),1000(msfadmin)", :uname=>"Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux"}

msf auxiliary(scanner/ssh/ssh_key_login) >
msf auxiliary(scanner/ssh/ssh_key_login) > run KEY_DIR=/tmp/testkeys
[-] Please set USERNAME or USER_FILE
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) > run KEY_DIR=/tmp/testkeys USERNAME=msfadmin
[*] /tmp/testkeys: 26 files (rsa_4096_2.pub, rsa_4096_2, rsa_4096_1.pub, rsa_4096_1, rsa_2048_legacy_2.pub, rsa_2048_legacy_2, rsa_2048_legacy_1.pub, rsa_2048_legacy_1, rsa_2048_2.pub, rsa_2048_2, rsa_2048_1.pub, rsa_2048_1, rsa_1024_2.pub, rsa_1024_2, rsa_1024_1.pub, rsa_1024_1, tmp_2.pub, tmp_1.pub, ed25519_2.pub, ed25519_2, ed25519_1.pub, ed25519_1, ecdsa_2.pub, ecdsa_2, ecdsa_1.pub, ecdsa_1)
[*] No conversion needed: rsa_2048_legacy_2
[*] No conversion needed: rsa_2048_legacy_1
[*] Converting modern OpenSSH key to public key blob: rsa_4096_2, rsa_4096_1, rsa_2048_2, rsa_2048_1, rsa_1024_2, rsa_1024_1, ed25519_2, ed25519_1, ecdsa_2, ecdsa_1
[*] Loaded 14 cleartext keys
[*] 10.0.0.10:22 - SSH banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] 10.0.0.10:22 - Supported key types: ssh-rsa, ssh-dss
[*] 10.0.0.10:22 - Server does not support ssh-ed25519, skipping: ed25519_2, ed25519_1
[*] 10.0.0.10:22 - Server does not support ecdsa-sha2-nistp256, skipping: ecdsa_2, ecdsa_1
[+] 10.0.0.10:22 - [1/10] rsa_4096_2: accepted for msfadmin (SHA256:q1yNRnyNODplVm6+I2ioRP9ewE78coWoWbDw2L3dTgw) - Private Key: Yes 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)'
[+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] SSH session 2 opened (10.0.0.1:42269 -> 10.0.0.10:22) at 2026-05-26 23:02:11 +0100
[-] 10.0.0.10:22 - [2/10] rsa_4096_1: not accepted for msfadmin
[+] 10.0.0.10:22 - [3/10] rsa_2048_legacy_2: accepted for msfadmin (SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs) - Private Key: Yes 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)'
[+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] SSH session 3 opened (10.0.0.1:34445 -> 10.0.0.10:22) at 2026-05-26 23:02:12 +0100
[-] 10.0.0.10:22 - [4/10] rsa_2048_legacy_1: not accepted for msfadmin
[+] 10.0.0.10:22 - [5/10] rsa_2048_2: accepted for msfadmin (SHA256:3mu8YIA99vhhpbrKv8FF1pjAjNRlxHF8DzATM3p7W0M) - Private Key: Yes 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)'
[+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] SSH session 4 opened (10.0.0.1:42859 -> 10.0.0.10:22) at 2026-05-26 23:02:13 +0100
[-] 10.0.0.10:22 - [6/10] rsa_2048_1: not accepted for msfadmin
[+] 10.0.0.10:22 - [7/10] rsa_1024_2: accepted for msfadmin (SHA256:G2kiqv3dp9OyEp98YgfEjpRjUpzuVFhxN+7cQkyin88) - Private Key: Yes 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)'
[+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] SSH session 5 opened (10.0.0.1:38709 -> 10.0.0.10:22) at 2026-05-26 23:02:14 +0100
[-] 10.0.0.10:22 - [8/10] rsa_1024_1: not accepted for msfadmin
[+] 10.0.0.10:22 - [9/10] tmp_2.pub: accepted for msfadmin (SHA256:qzd4gfzyP8rqfx03wabeTyrWRXgB0ERpA8pLehQxr5o) - Private Key: No
[!] 10.0.0.10:22 - Key accepted for msfadmin but no private key available - cannot create session (public key only)
[-] 10.0.0.10:22 - [10/10] tmp_1.pub: not accepted for msfadmin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_key_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         2      4      9      13

msf auxiliary(scanner/ssh/ssh_key_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf auxiliary(scanner/ssh/ssh_key_login) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    tcp   open                                          {}
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)

msf auxiliary(scanner/ssh/ssh_key_login) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                                    References
---------                ----       -------       --------  ----                                    ----------
2026-05-26 21:59:50 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Authorized Key Accepted             ATT&CK-T1021.004
2026-05-26 21:59:51 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Authorized Key Login Check Scanner  ATT&CK-T1021.004

msf auxiliary(scanner/ssh/ssh_key_login) > creds
Credentials
===========

id   host       origin     service       public    private                                          realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------                                          -----  ------------  ----------  ----------------
579  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  6d:5d:df:2c:e6:5e:dd:a6:db:0d:84:4d:7d:bc:4a:19         SSH key
580  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  08:96:70:bd:c8:b1:bc:9b:cd:46:1c:f7:1d:4f:db:92         SSH key
581  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  0c:69:7c:f8:79:8d:2c:83:ca:d4:83:f7:7e:48:81:7f         SSH key
582  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  68:b3:a0:74:2c:4e:e4:ad:a3:06:b0:3f:74:a2:9d:95         SSH key

msf auxiliary(scanner/ssh/ssh_key_login) > loot

Loot
====

host       service  type                name                 content     info                                                path
----       -------  ----                ----                 -------     ----                                                ----
10.0.0.10           ssh.publickey.rsa   msfadmin_id_rsa.pub  text/plain  SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs  /home/kali/.msf4/loot/20260526225950_default_10.0.0.10_ssh.publickey.rs_468112.txt
10.0.0.10           ssh.privatekey.rsa  msfadmin_id_rsa      text/plain  SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs  /home/kali/.msf4/loot/20260526225950_default_10.0.0.10_ssh.privatekey.r_449006.txt
10.0.0.10           ssh.publickey.rsa   msfadmin_id_rsa.pub  text/plain  SHA256:q1yNRnyNODplVm6+I2ioRP9ewE78coWoWbDw2L3dTgw  /home/kali/.msf4/loot/20260526230211_default_10.0.0.10_ssh.publickey.rs_155610.txt
10.0.0.10           ssh.privatekey.rsa  msfadmin_id_rsa      text/plain  SHA256:q1yNRnyNODplVm6+I2ioRP9ewE78coWoWbDw2L3dTgw  /home/kali/.msf4/loot/20260526230211_default_10.0.0.10_ssh.privatekey.r_577896.txt
10.0.0.10           ssh.publickey.rsa   msfadmin_id_rsa.pub  text/plain  SHA256:3mu8YIA99vhhpbrKv8FF1pjAjNRlxHF8DzATM3p7W0M  /home/kali/.msf4/loot/20260526230212_default_10.0.0.10_ssh.publickey.rs_662720.txt
10.0.0.10           ssh.privatekey.rsa  msfadmin_id_rsa      text/plain  SHA256:3mu8YIA99vhhpbrKv8FF1pjAjNRlxHF8DzATM3p7W0M  /home/kali/.msf4/loot/20260526230212_default_10.0.0.10_ssh.privatekey.r_253045.txt
10.0.0.10           ssh.publickey.rsa   msfadmin_id_rsa.pub  text/plain  SHA256:G2kiqv3dp9OyEp98YgfEjpRjUpzuVFhxN+7cQkyin88  /home/kali/.msf4/loot/20260526230213_default_10.0.0.10_ssh.publickey.rs_069247.txt
10.0.0.10           ssh.privatekey.rsa  msfadmin_id_rsa      text/plain  SHA256:G2kiqv3dp9OyEp98YgfEjpRjUpzuVFhxN+7cQkyin88  /home/kali/.msf4/loot/20260526230213_default_10.0.0.10_ssh.privatekey.r_758952.txt
10.0.0.10           ssh.publickey.rsa   msfadmin_id_rsa.pub  text/plain  SHA256:qzd4gfzyP8rqfx03wabeTyrWRXgB0ERpA8pLehQxr5o  /home/kali/.msf4/loot/20260526230214_default_10.0.0.10_ssh.publickey.rs_819024.txt

msf auxiliary(scanner/ssh/ssh_key_login) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type               Data
 ----                     ----       -------  ----  --------  ----               ----
 2026-05-26 21:59:50 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe            {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-26 21:59:50 UTC  10.0.0.10  ssh      22    tcp       ssh.hostkey        {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}
 2026-05-26 21:59:50 UTC  10.0.0.10  tcp      22    tcp       ssh.accepted_keys  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIwliRlyg+ZA5R4GmRNHu9i8UyuzIiJdB5P8/8a1SwrjjXvQTOjEg
                                                                                 XOnw/kMygqAyNlMbSyHj7nUxL5xjLloDmeop9yMCqbVLQ4cV8xmTBQ//ezxYKYAubHa8qRD/aKB3A1s+gI+nkDfRvfzLzYV5SSUoNXKAv93iAn2Clj8Mr/Rrt81Te
                                                                                 3SatvGjdDpu1ke46wwJ+HXBlQXbPa/9IIsT6iJw5RMnr4FaxpvxZPp1evQMjXzYuDWlLlR3HButaRz7CLUeIgQ1ZJwsvCORCnQ25RSjCYho96wrEioqASc9UUBBGM
                                                                                 DeAligv1euoClvaOPHIAgf1D0yrK4l+Pu4wPxfb", :private_key=>true}
 2026-05-26 21:59:50 UTC  10.0.0.10  tcp      22    tcp       ssh.proof          {:credential=>"msfadmin:SHA256:SujbJCC/eVK8R8hQ+/5n4IyJoMwNBIKlyRwKqJUwOEs", :id=>"uid=1000(msfadmin) gid=1000(msfadmin) grou
                                                                                 ps=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(samb
                                                                                 ashare),1000(msfadmin)", :uname=>"Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux"}
 2026-05-26 22:02:10 UTC  10.0.0.10  tcp      22    tcp       ssh.cpe            {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-26 22:02:10 UTC  10.0.0.10  tcp      22    tcp       ssh.hostkey        {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}
 2026-05-26 22:02:11 UTC  10.0.0.10  tcp      22    tcp       ssh.accepted_keys  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDzp7xbi00yMK+feukS9dDFI7p/w6oUPlgba1PO6KI4rRDV/n3Z50P
                                                                                 2zmZ3nEatrFSqtkge12BE0AxH4HjwxHgfnhrEpdziZ1ZNxipkxbjB9vzdGtkHA56s14sPBxNINDmaB+66/99bRBdCRnbuGKNsV9trr+ToM4t7p1ZluP2UXi/AEb1K
                                                                                 K+PW+l9lkw30qOH8pSZO7ga2ZPxjtJoTFt16CniEiQ+S5RqUs3DvmdMypg1UfyWxX5QIcpbqLqUTY1jfNAMGhbBWsIEm3PeZecyGvAr/x9yxvImZwQAn46wqYnG10
                                                                                 zcCYYqs0wA4Vj5ILO6bNpmEJVWVCCiWUi1XDNQDN+UtVc+Gqxc9IThyY2O1KHv7lRHX1qgHEzXnHyoolxUu03N8WhF24dEcN59nn/wu3lnZWkxCgySrwZXAma7Gyl
                                                                                 uaBKkGe6fKz63aPPWaziF6JCrVH8CS0tbvQtUg2ZOYH2FWyQfd6d/85FZKcMBkdlYaF5Mq1Xxvajs4CTAGsLiPXC+rslzvn1vm6qLVISe43NFOngr3AamS3n9Zz/5
                                                                                 HrAKTdjB+AEJ3lk/ye1o7dVkUQw18mR+SxMML92s6mjYsm/NZwUHt5qJq67KMwIkASIgQJrZ40DvBumFesaTx4sWIqksbuZmv1cR+1YR5PO7dspbHA4ldutjViWcT
                                                                                 0hfxbw==", :private_key=>true}
 2026-05-26 22:02:11 UTC  10.0.0.10  tcp      22    tcp       ssh.proof          {:credential=>"msfadmin:SHA256:q1yNRnyNODplVm6+I2ioRP9ewE78coWoWbDw2L3dTgw", :id=>"uid=1000(msfadmin) gid=1000(msfadmin) grou
                                                                                 ps=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(samb
                                                                                 ashare),1000(msfadmin)", :uname=>"Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux"}
 2026-05-26 22:02:12 UTC  10.0.0.10  tcp      22    tcp       ssh.accepted_keys  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl2rPtkEPHT3DdilnZVPG7ZtuZWUcjE5croeYFcN+Gth+AvsPikza
                                                                                 PRVMQnGNVuAPL1ng3IgjPSqQzVkhkI3uIwyXgH6+CoOa80coOHDp3RRYsNeNfnjZqaF1WT8a/ZyOAgYc8uwVXuxwWDT+ucDNxFzpZYjeCEnBjHfhVNTJQ/jeeTZ6I
                                                                                 HkBaCcr3AxIzIW7a/935Bgxf6IvdeIB7SMFd6SPuDu8Z4veXFysC/W0jF91I436KNyRjcXX6bOTD6wcy6ShNJjFfPvtfHjSNLhSE+WlRBK0XxYSWoYkPtWe2tMIth
                                                                                 ZdNCv9UqlfY3qipkJ8gFVNcoCweIFks9zTAwsdL", :private_key=>true}
 2026-05-26 22:02:12 UTC  10.0.0.10  tcp      22    tcp       ssh.proof          {:credential=>"msfadmin:SHA256:3mu8YIA99vhhpbrKv8FF1pjAjNRlxHF8DzATM3p7W0M", :id=>"uid=1000(msfadmin) gid=1000(msfadmin) grou
                                                                                 ps=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(samb
                                                                                 ashare),1000(msfadmin)", :uname=>"Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux"}
 2026-05-26 22:02:13 UTC  10.0.0.10  tcp      22    tcp       ssh.accepted_keys  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdl6yBo52RztXACkoqOmlbt0rO7Fj4egh9FEPz80JmVLW0LRG9K1C
                                                                                 enSvniyh5am5r6X+PfqQhZ+nDedddciJZQo6zUceOyuJxhbh/AooDpNrbt4qFw8N86GsIJa+1ZknOydjOuIDb6D8PWTKbR+6gFE9gJ/I5xNewsNRTddwT8Q==", :
                                                                                 private_key=>true}
 2026-05-26 22:02:13 UTC  10.0.0.10  tcp      22    tcp       ssh.proof          {:credential=>"msfadmin:SHA256:G2kiqv3dp9OyEp98YgfEjpRjUpzuVFhxN+7cQkyin88", :id=>"uid=1000(msfadmin) gid=1000(msfadmin) grou
                                                                                 ps=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(samb
                                                                                 ashare),1000(msfadmin)", :uname=>"Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux"}
 2026-05-26 22:02:14 UTC  10.0.0.10  tcp      22    tcp       ssh.accepted_keys  {:user=>"msfadmin", :public_key=>"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9P8cr5WzJu+xIu3UZiOetIGdCuRSA4sulMSnP/w8i0+l2gqqcifL
                                                                                 KaZNkdGHyhEL3/2Ux8n8CbPQhOYIKtqPxd3OdxfxTEVp2EmmN0oheWuv9uepV5sLZmPjwXrtdazpYKfj+J86053FqEFQF60SA3KADQe8jrsRh3hTtYLt9hXzzF6Sn
                                                                                 vXyXR5fhx5FyQRfjia91y/lE2Q31mF2htjsgTF0HHP+AAinlBhJhecQMtKwa762mYPZpzs+X+To/O1sDCivkSfEy25VtiXsFIPq+8ZgEOl2kscIa7fblaO0HrIKIQ
                                                                                 Mid2tuQw2p5518oReE20KiseXh3fQa/3oncTlpIPIGaI8ThVFM3GTaESn5TGJQdrSWeZY9t3V4Y83tlrkMSccbBtA8q9yjb+z1GoFfhONYSZ7uPfjm8AS0hQ1LPit
                                                                                 KFPy3Y6U5UrMwmZQDOWfd7BPzWtKl90LZ28IdpI3SyvxwXGNCdtfKkSXTTg7PJv05aZwRKLJwV5nlQX1sUbYs= kali@bdesktop", :private_key=>false}

msf auxiliary(scanner/ssh/ssh_key_login) >

@g0tmi1k g0tmi1k force-pushed the ssh_identify_pubkeys branch 13 times, most recently from 946fd5e to 81397a3 Compare May 19, 2026 09:57
@g0tmi1k g0tmi1k force-pushed the ssh_identify_pubkeys branch from 653ef9d to 3083f8c Compare May 19, 2026 15:10
@g0tmi1k g0tmi1k marked this pull request as draft May 21, 2026 13:49
@g0tmi1k g0tmi1k force-pushed the ssh_identify_pubkeys branch from 3083f8c to aed8233 Compare May 26, 2026 11:45
@g0tmi1k g0tmi1k force-pushed the ssh_identify_pubkeys branch from aed8233 to 205595a Compare May 26, 2026 12:58
g0tmi1k added 3 commits May 26, 2026 15:43
@g0tmi1k
ssh_key_login: Say if SSH_BYPASS may fail
d1a2169
@g0tmi1k
ssh_key_login: Tweak output
96bfeb8
@g0tmi1k
ssh_key_login: Update SSH loot key name
3164e90 
Consistency with: ./modules/auxiliary/scanner/ssh/ssh_key_login.rb, ./modules/exploits/multi/persistence/ssh_key.rb & ./modules/post/multi/gather/ssh_creds.rb
@g0tmi1k g0tmi1k force-pushed the ssh_identify_pubkeys branch from 205595a to 3e0ded3 Compare May 26, 2026 14:44
@g0tmi1k g0tmi1k force-pushed the ssh_identify_pubkeys branch from 3e0ded3 to 2cf8ac1 Compare May 26, 2026 21:57
@g0tmi1k g0tmi1k marked this pull request as ready for review May 26, 2026 22:09
@g0tmi1k
Copy link
Copy Markdown
Contributor Author

g0tmi1k commented May 26, 2026

Think I've finished tweaking with this PR!

@g0tmi1k g0tmi1k mentioned this pull request May 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@g0tmi1k @smcintyre-r7