SSH Wide Compatability Mode Unsupported [SOLUTION]

[godylockz]

Description:

Running SSH in "Wide Compatibility Mode" causes hydra not to error out. This is enabled via kali-tweaks -> Hardening or adding the following to /etc/ssh/ssh_config. The + indicates append to default.

Host *
  Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
  KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
  HostKeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com
  PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com                                                                                                                                                                                              

Versions

Kali Version 2022.3, Hydra v9.3

Error

$ hydra -l michael -P /usr/share/wordlists/rockyou.txt ssh://10.10.11.166
[INFO] Testing if password authentication is supported by ssh://michael@10.10.11.166:22
[2022/09/28 00:41:59.494904, 1] socket_callback_connected:  Socket connection callback: 1 (0)
[2022/09/28 00:41:59.526248, 1] ssh_client_select_hostkeys:  List of allowed host key algorithms is empty or contains only unsupported algorithms
[ERROR] could not connect to ssh://10.10.11.166:22 - ssh_set_client_kex: Out of memory

Expected behavior

SSH bruteforcing should work correctly in Wide Compatibility mode. CrackMapExec works in the meantime:

cme ssh 10.10.11.166 -u michael -p /usr/share/wordlists/rockyou.txt

[ClaudioVarandas]

I think i have the same issue, using the "Wide Compatibility Mode" too, same version of OS and Hydra.

Here is my debug data:

┌──(root㉿kali)-[~]
└─# hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.47.129:22 -t 4 -vV -d
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-29 18:07:50
[DEBUG] cmdline: hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 4 -vV -d ssh://192.168.47.129:22 
[DEBUG] opt:9 argc:10 mod:ssh tgt:192.168.47.129 port:22 misc:(null)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1009 login tries (l:1/p:1009), ~253 tries per task
[DATA] attacking ssh://192.168.47.129:22/
[VERBOSE] Resolving addresses ... 
[DEBUG] resolving 192.168.47.129
[VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://root@192.168.47.129:22
[ERROR] could not connect to ssh://192.168.47.129:22 - ssh_set_client_kex: Out of memory

[vanhauser-thc]

A quick search for this and libssh did not reveal the config changed required. I do not have time to work on this for the next weeks so if someone can send a PR this would be great ...

[elboulangero]

Hello,

this issue should be fixed in Kali Linux, as of today, with the latest version of kali-tweaks 2023.1.2, that just landed in kali-rolling.

Steps to follow:

1. Run sudo apt update && sudo apt full-upgrade -y to upgrade your Kali install.
2. Make sure the latest version of kali-tweaks was installed with dpkg -l | grep kali-tweaks (expect version 2023.1.2 or higher).
3. Then run kali-tweaks and enable the « SSH Wide Compatibility ». If it's already enabled, please disable it, confirm, then enable it again.

After that, it should work. Please report that the issue is indeed fixed.

For the curious, details on the exact issue can be found at: https://gitlab.com/kalilinux/packages/kali-tweaks/-/merge_requests/8#note_1241868100

Thanks!

[elboulangero]

I was told that it still fails, this time with a different error message:

[ERROR] could not connect to ssh://10.11.1.115:22 - kex error : no match for method mac algo client->server: server [hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96], client [hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512]

So I just updated kali-tweaks so that, in « SSH Wide Compatibility » mode, the legacy MACs are also enabled. This was released in kali-tweaks version 2023.1.3.

For anyone interested to test, same procedure as above to update (steps 1, 2 and 3). Thanks!

[chinnidiwakar]

Still the same issue, i tried in latest kali. any update on this? regular ssh command words, medusa works, nmap script works, but not hydra.
[ERROR] could not connect to ssh://10.0.0.169:22 - kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com]

[elboulangero]

@chinnidiwakar Did you enable SSH "Wide Compatibility Mode" in Kali? This is enabled via command kali-tweaks, then in the menu Hardening.

[chinnidiwakar]

yes, the issue was after fixing that only. i have also tried to add them to config file, that did not help either.

…

On Tue, Sep 12, 2023 at 1:34 PM Arnaud Rebillout ***@***.***> wrote: @chinnidiwakar <https://github.com/chinnidiwakar> Did you enable SSH "Wide Compatibility Mode" in Kali? This is enabled via command kali-tweaks, then in the menu Hardening. — Reply to this email directly, view it on GitHub <#792 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADLBMHDUNMUQA4YL7FK6YHDX2AJPJANCNFSM6AAAAAAQXMP374> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[rickiey]

I ran into this problem with ubuntu

[ERROR] could not connect to ssh://192.168.5.133:22 - kex error : no match for method server host key algo: server [rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519], client [ssh-rsa] 

[elboulangero]

@chinnidiwakar Just to be sure, can you give me the ouput of:

ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort

Thanks

[chinnidiwakar]

[image: image.png] here it is

…

On Tue, Sep 12, 2023 at 2:40 PM Arnaud Rebillout ***@***.***> wrote: @chinnidiwakar <https://github.com/chinnidiwakar> Just to be sure, can you give me the ouput of: ssh -G '*' | grep -i '^HostKeyAlgo' | cut -d' ' -f2- | sed 's/,/\n/g' | sort Thanks — Reply to this email directly, view it on GitHub <#792 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADLBMHCGVLAEKPWM6RLHFYLX2ARHLANCNFSM6AAAAAAQXMP374> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[elboulangero]

@chinnidiwakar Didn't work, there's no image