No output and "Process exited with status 1" for Aruba Switches (S3500)

[BufferOverflowed]

What version of Go are you using (go version)?

go1.11 darwin/amd64

What operating system and processor architecture are you using (go env)?

MacOS 10.14

What did you do?

Attempting to execute a ping command on a single shell with the ciphers specified

What did you expect to see?

A successful reply with round trip latency info

What did you see instead?

(Process exited with status 1)

Not sure if this is a limitation with my Aruba switches, although it works perfect on our Aruba controllers. If this issue doesn't seem to be related to Shellz, sorry for opening an issue. In any case, I have uploaded a screenshot of the issue I'm facing. Thanks again for the deprecated cipher support so quickly! You are awesome!

[evilsocket]

i can normally ping, the only systems where i get that are the ones where i need to be sudo in order to run ping (because ping is in /sbin or /usr/sbin which is not in $PATH by default)

[BufferOverflowed]

Ping was just an example. I receive the "Process exited with status 1" error when attempting to run any command on these Aruba switches. It could very well be a limitation with the Aruba switches, although the Aruba controllers (similar cli) output the results just fine. The only difference between the two is the need to specify the deprecated ciphers in the switches .json file. Please let me know if you need anymore information/logs. Thanks again for your help!

[evilsocket]

can you execute those commands just by using ssh, like ssh user@host command ?

[evilsocket]

( i also suggest you to test ping -c 1 8.8.8.8 or to increase the -read-timeout to a lot :D )

[BufferOverflowed]

Yes, I have no issues executing the commands when directly connecting via ssh with the same credentials specified in the idents file. For me, this utility would be so amazing for simple configs/backups on all my NADs which is why I hope it’s something fixable :D

[evilsocket]

everything is fixable! :D I just need to understand why that happens and, without having access to those endpoints and inserting debug messages here and there in the code to test it's very hard :) it'd help the output of ssh -vv user@host "echo $SHELL" and also the shell json file you are using, let's start by comparing the ciphers! :D

[evilsocket]

also any logs you can get server side would be great

[BufferOverflowed]

ssh -vv user@host "echo $SHELL" output

MacBook-Pro:~` user$ ssh -vv user@10.100.8.24 "echo $SHELL"
OpenSSH_7.7p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 10.100.8.24 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.100.8.24 [10.100.8.24] port 22.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.100.8.24:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1037/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:Fingerprint
debug1: Host '10.100.8.24' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:2
debug2: bits set: 1021/2048
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /Users/user/.ssh/id_rsa (0x7fd582f001f0)
debug2: key: /Users/user/.ssh/id_dsa (0x0)
debug2: key: /Users/user/.ssh/id_ecdsa (0x0)
debug2: key: /Users/user/.ssh/id_ed25519 (0x0)
debug2: key: /Users/user/.ssh/id_xmss (0x0)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
user@10.100.8.24's password: 

RC-MDF-24.json

MacBook-Pro:~ $ cat .shellz/shells/RC-MDF-24.json 
{
    "name": "RC-MDF-24",
    "host": "10.100.8.24",
    "port": 22,
    "identity": "default",
    "ciphers": ["aes128-cbc", "3des-cbc"]
}

Server Side Logs
Switch debug log shows successful authectication against our tacacs server with the correct (root) permissions assigned.

[evilsocket]

mmm is it me or it looks like $SHELL is not defined? what if you ssh user@host which sh ?

[BufferOverflowed]

Running ssh user@host which sh shows nothing unfortunately (unless I'm doing something wrong). for comparison:

ssh -vv user@host "echo $SHELL" output on Aruba Controller (device which Shellz works perfectly on (similar CLI)

MacBook-Pro:~ user$ ssh -vv user@10.2.1.153 "echo $SHELL"
OpenSSH_7.7p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 10.2.1.153 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.2.1.153 [10.2.1.153] port 22.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH
debug1: match: OpenSSH pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.2.1.153:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group14-sha1,
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 1016/2048
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: ssh-rsa SHA256:4o67o6sJNbz8xeP+oALs/0xCgmAct1Mu9njHQSoaPI0
debug1: Host '10.2.1.153' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:4
debug2: bits set: 1027/2048
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /Users/user/.ssh/id_rsa (0x7f922b600650)
debug2: key: /Users/user/.ssh/id_dsa (0x0)
debug2: key: /Users/user/.ssh/id_ecdsa (0x0)
debug2: key: /Users/user/.ssh/id_ed25519 (0x0)
debug2: key: /Users/user/.ssh/id_xmss (0x0)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:RSA Key /Users/user/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/user/.ssh/id_dsa
debug1: Trying private key: /Users/user/.ssh/id_ecdsa
debug1: Trying private key: /Users/user/.ssh/id_ed25519
debug1: Trying private key: /Users/user/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
user@10.2.1.153's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 10.2.1.153 ([10.2.1.153]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending command: echo /bin/bash
debug2: channel 0: request exec confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug2: channel 0: rcvd ext data 51
          ^ 
Invalid input detected at '^' marker.
debug2: channel 0: written 51 to efd 6
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2432, received 1720 bytes, in 0.1 seconds
Bytes per second: sent 32097.1, received 22700.3
debug1: Exit status 0

ssh -vv user@host "echo $SHELL" output on Aruba Switch (10.100.8.24 device we have been using to test so far)

users-MacBook-Pro:~ user$ ssh -vv user@10.100.8.24 "echo $SHELL"
OpenSSH_7.7p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 10.100.8.24 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.100.8.24 [10.100.8.24] port 22.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.100.8.24:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1074/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:RSA Key
debug1: Host '10.100.8.24' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:2
debug2: bits set: 1021/2048
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /Users/user/.ssh/id_rsa (0x7f87f8600120)
debug2: key: /Users/user/.ssh/id_dsa (0x0)
debug2: key: /Users/user/.ssh/id_ecdsa (0x0)
debug2: key: /Users/user/.ssh/id_ed25519 (0x0)
debug2: key: /Users/user/.ssh/id_xmss (0x0)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
user@10.100.8.24's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 10.100.8.24 ([10.100.8.24]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending command: echo /bin/bash
debug2: channel 0: request exec confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2024, received 1736 bytes, in 0.0 seconds
Bytes per second: sent 115163.6, received 98776.7
debug1: Exit status 1

Please let me know if I can provide any additional information/logs/packet captures...etc. In the meantime, ill try replicating the issues on other host OS's.

[evilsocket]

i'd need to login myself via ssh and try to see why that happens ... also, what if you use shellz to execute other commands (say a simple ls)?

[ohpe]

I don't know how ArubaOS-Switch works, but maybe the env would help a bit?

[evilsocket]

possibly? no idea why it's returning exit code 1 but no output, I used CombinedOutput so it should at least get the stderr ... no idea :/

[BufferOverflowed]

Not sure if this is completely irrelevant to this issue, but:

Shellz on Working NAD (10.2.1.153 Aruba Controller)
Client: Protocol (SSH-2.0-Go)
Server: Protocol (SSH-2.0-OpenSSH)

SSH Direct on Working NAD (10.2.1.153 Aruba Controller)
Client: Protocol (SSH-2.0-OpenSSH_7.7)
Server: Protocol (SSH-2.0-OpenSSH)

Shellz on NON Working NAD (10.100.8.24 Aruba Switch)
Client: Protocol (SSH-2.0-Go)
Server: Protocol (SSH-2.0-OpenSSH_5.8)

SSH Direct on NON Working NAD (10.100.8.24 Aruba Switch
Client: Protocol (SSH-2.0-OpenSSH_7.7)
Server: Protocol (SSH-2.0-OpenSSH 5.8)

[BufferOverflowed]

also, no matter what command I attempt to execute using Shellz on these Aruba (S3500) Switches, im greeted with the "Process exited with status 1) no output" :(

[ohpe]

Check the ssh error logs (maybe here /var/log/auth.log) and then execute shellez command. You should see some errors.

[evilsocket]

i'm googling as hard as i can but i can't find any documented issue with golang, its ssh libraries and Aruba Switches :/

[BufferOverflowed]

Looking into our RADIUS server (Clearpass) I see successful authentications when using Shellz. So the switch is sending the auth request to our radius server and the server is passing the correct roles to the switch. Unfortunately, our entire fleet of access switches consist of the Aruba S3500's. Shellz works as expected on our controllers and core distribution switches. All switches are running the latest code, however, their EoL so worst case, we will be replacing them overtime. You guys are awesome, and I appreciate the level of help you provide to the community!

[evilsocket]

any chances you could allow me to access one of the oldest so i can debug myself? i had to try :D

[evilsocket]

ok @RIPv1 there's a test you can help me doing! you'll need to compile from source and patch some files, ready? :D

0. Remove the shellz binary from your system, wherever it is now.
1. As for README, make sure you download shellz from sources (go get bla bla bla)
2. cd into $GOPATH/src/github.com/evilsocket/shellz
3. Now you will have to grep for debugHandshake and debugTransport, you will find a few references on some files in the vendor folder.
4. Patch those variables and set them to true
5. From shellz source folder, make install ( this will compile and move shellz into $GOPATH/bin )

Now you should have additional debug messages when connecting to your switches :)

[BufferOverflowed]

No problem, ill work on creating a DMZ on my home network with shell access to an S3500 with some local mgmt creds. Or maybe just a Goto Meeting with a laptop directly connected to the switch ;)

[BufferOverflowed]

@evilsocket when I grep debugHandshake or grep debugTransport in the $GOPATH/src/github.com/evilsocket/shellz directory, it just hangs and doesn't return any values. I should probably mention, my grep skills suck.

[evilsocket]

cd $GOPATH/src/github.com/evilsocket/shellz
make deps # this will make sure the vendor folder gets filled with the dependencies
grep -r debugHandshake .

you will see this, edit this file and set the variable to true:

Repeat for debugTransport, and then again:

make install

Now run shellz normally and you should have more info on the output ... i hope :D

[BufferOverflowed]

Okay, I successfully removed the shellz binary, installed from source (go get) and set the variables in both files and ran sudo make install which returned the following:

mv: rename shellz to /bin/shellz: Operation not permitted
make: *** [install] Error 1

So I recreated the idents and shells .json files for the switch and ran ./shellz from the src directory. Unfortunately, it doesn't appear to provide more logs when attempting to connect (see attached)

[evilsocket]

your $GOPATH is not defined, otherwise it wouldn't be /bin! :D ... as for the logs, that's weird ... need further investigation

[BufferOverflowed]

:D opps! And once you have access to the switch i'm assuming it would make troubleshooting 10000 times easier for you!

[evilsocket]

@RIPv1 ping?