SSH mixin: New functions to help populate workspaces by g0tmi1k · Pull Request #21479 · rapid7/metasploit-framework

g0tmi1k · 2026-05-19T06:33:12Z

This PR adds various new functions, with the goal to help auto update/populate the workspace:

connect_ssh()
connect_ssh_transport()
grab_ssh_banner()
report_ssh_host() - report_host() & report_note(ssh.cpe) via Recog (same as FTP mixin)
report_ssh_hostkeys() - report_note(ssh.hostkey)
report_ssh_service() - report_service()
- Also able to report_host(), when host is up but the service is down or incorrect

All modules to use connect_ssh() & connect_ssh_transport() were applicable.

Examples of this being used:

This is a little older demo

Before

Hosts: 10.0.0.10 (Metasploitable 2)
Servies: Missing banner & parent
Notes: 0

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
$ ./msfconsole -q -x 'workspace -D;
use auxiliary/scanner/ssh/ssh_enumusers;
set RHOSTS 10.0.0.10;
set USERNAME msfadmin;
run;'
[*] Deleted workspace: default
[*] Recreated the default workspace
[*] Setting default action Malformed Packet - view all 2 actions with the show actions command
RHOSTS => 10.0.0.10
USERNAME => msfadmin
[*] 10.0.0.10:22 - SSH - Using malformed packet technique
[*] 10.0.0.10:22 - SSH - Checking for false positives
[*] 10.0.0.10:22 - SSH - Starting scan
[+] 10.0.0.10:22 - SSH - User 'msfadmin' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      1      0      0

msf auxiliary(scanner/ssh/ssh_enumusers) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf auxiliary(scanner/ssh/ssh_enumusers) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  22    tcp    ssh   open         {}

msf auxiliary(scanner/ssh/ssh_enumusers) >

After

Hosts: OS info added
Servies: SSH banner included & Added parent (matches other modules/mixins)
Notes: 2x

$ git checkout ssh_mixin
branch 'ssh_mixin' set up to track 'origin/ssh_mixin'.
Switched to a new branch 'ssh_mixin'
$ ./msfconsole -q -x 'workspace -D;
use auxiliary/scanner/ssh/ssh_enumusers;
set RHOSTS 10.0.0.10;
set USERNAME msfadmin;
run;'
[*] Deleted workspace: default
[*] Recreated the default workspace
[*] Setting default action Malformed Packet - view all 2 actions with the show actions command
RHOSTS => 10.0.0.10
USERNAME => msfadmin
[*] 10.0.0.10:22 - SSH - Using malformed packet technique
[*] 10.0.0.10:22 - SSH - Checking for false positives
[*] 10.0.0.10:22 - SSH - Starting scan
[+] 10.0.0.10:22 - SSH - User 'msfadmin' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         0      1      0      2

msf auxiliary(scanner/ssh/ssh_enumusers) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf auxiliary(scanner/ssh/ssh_enumusers) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)
10.0.0.10  22    tcp    tcp   open                                          {}

msf auxiliary(scanner/ssh/ssh_enumusers) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type         Data
 ----                     ----       -------  ----  --------  ----         ----
 2026-05-19 06:30:57 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe      {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-19 06:30:57 UTC  10.0.0.10  ssh      22    tcp       ssh.hostkey  {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}

msf auxiliary(scanner/ssh/ssh_enumusers) >

g0tmi1k · 2026-05-19T16:04:24Z

Before: * default 1 1 1 0 0 0
After: * default 1 2 1 0 0 2

Before

$ git checkout master
Switched to branch 'master'
Your branch is up to date with 'origin/master'.
$ ./msfconsole -q -x 'workspace -D;
use auxiliary/scanner/ssh/ssh_version;
set RHOSTS 10.0.0.10;
run;'
[...]
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      0

msf auxiliary(scanner/ssh/ssh_version) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux               8.04   server

msf auxiliary(scanner/ssh/ssh_version) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}

msf auxiliary(scanner/ssh/ssh_version) >

After

$ git checkout ssh_mixin
Switched to branch 'ssh_mixin'
Your branch is up to date with 'origin/ssh_mixin'.
$ ./msfconsole -q -x 'workspace -D;
use auxiliary/scanner/ssh/ssh_version;
set RHOSTS 10.0.0.10;
run;'
[...]
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      0      0      2

msf auxiliary(scanner/ssh/ssh_version) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf auxiliary(scanner/ssh/ssh_version) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)
10.0.0.10  22    tcp    tcp   open                                          {}

msf auxiliary(scanner/ssh/ssh_version) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type         Data
 ----                     ----       -------  ----  --------  ----         ----
 2026-05-19 16:02:46 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe      {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-19 16:02:46 UTC  10.0.0.10  ssh      22    tcp       ssh.hostkey  {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}

msf auxiliary(scanner/ssh/ssh_version) >

g0tmi1k · 2026-05-19T17:06:12Z

Also have it reporting_host:

Trying to use a SSH module on a up/open non-SSH service (such as 21/TCP - FTP)
As well as a port (999/TCP) that isn't open.

Before

Doesn't track the host at all:

msf auxiliary(scanner/ssh/ssh_version) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_version) > set RPORT 21
RPORT => 21
msf auxiliary(scanner/ssh/ssh_version) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_version) >
msf auxiliary(scanner/ssh/ssh_version) >
msf auxiliary(scanner/ssh/ssh_version) >
msf auxiliary(scanner/ssh/ssh_version) > set RPORT 999
RPORT => 999
msf auxiliary(scanner/ssh/ssh_version) > run
[*] Error: 10.0.0.10: Errno::ECONNREFUSED Connection refused - connect(2) for 10.0.0.10:999
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_version) >

After

Host up!

msf auxiliary(scanner/ssh/ssh_version) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_version) > set RPORT 21
RPORT => 21
msf auxiliary(scanner/ssh/ssh_version) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/ssh/ssh_version) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf auxiliary(scanner/ssh/ssh_version) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  21    tcp          open         {}

msf auxiliary(scanner/ssh/ssh_version) >
msf auxiliary(scanner/ssh/ssh_version) >
msf auxiliary(scanner/ssh/ssh_version) >

msf auxiliary(scanner/ssh/ssh_version) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_version) > set RPORT 999
RPORT => 999
msf auxiliary(scanner/ssh/ssh_version) > run
[*] Error: 10.0.0.10: Errno::ECONNREFUSED Connection refused - connect(2) for 10.0.0.10:999
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_version) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf auxiliary(scanner/ssh/ssh_version) >

And stop phantom service creation from `parents:` on port/proto lookup: ./lib/msf/core/db_manager/service.rb

…en host up, service down

For Msf::Auxiliary::ReportSummary and otherwise there is a ghost/phantom unnamed service entry due to infer_vuln_from_session() -> find_by_port()

g0tmi1k · 2026-05-27T07:13:24Z

Think I've finished tweaking with this PR!

adfoster-r7 · 2026-06-02T23:37:47Z

Just a heads up that there's some syntax errors:

  4) modules it should behave like all modules with module type can be instantiated exploit linux/http/cisco_firepower_useradd behaves like a module with valid metadata verifies modules metadata
     Failure/Error: module_eval(module_content, module_path)

     SyntaxError:
       --> /home/runner/work/metasploit-framework/metasploit-framework/modules/exploits/linux/http/cisco_firepower_useradd.rb
       Unmatched `end', missing keyword (`do', `def`, `if`, etc.) ?
       > 266  gin
       > 268      ensure
       > 270      end
       > 271    end
       > 272  end
       
       /home/runner/work/metasploit-framework/metasploit-framework/modules/exploits/linux/http/cisco_firepower_useradd.rb:268: syntax error, unexpected `ensure' (SyntaxError)
           ensure
           ^~~~~~

adfoster-r7 · 2026-06-02T23:38:30Z

Give me a ping when that's resolved and we can try to get reviews/merges in place 🤞

smcintyre-r7 added this to Metasploit Kanban May 19, 2026

github-project-automation Bot moved this to Todo in Metasploit Kanban May 19, 2026

g0tmi1k force-pushed the ssh_mixin branch 3 times, most recently from 30284d1 to 6672698 Compare May 19, 2026 15:09

g0tmi1k force-pushed the ssh_mixin branch from 6672698 to 8056868 Compare May 19, 2026 16:19

g0tmi1k force-pushed the ssh_mixin branch 3 times, most recently from 80cfdae to 5ee027a Compare May 21, 2026 12:25

g0tmi1k marked this pull request as draft May 21, 2026 13:49

SSH: Add connect_ssh()

3f40bd7

And stop phantom service creation from `parents:` on port/proto lookup: ./lib/msf/core/db_manager/service.rb

g0tmi1k force-pushed the ssh_mixin branch 3 times, most recently from 21dcd37 to dea61ff Compare May 22, 2026 18:20

g0tmi1k added 3 commits May 26, 2026 13:56

SSH: Add report_ssh_host()

cbcadc1

SSH: Add report_ssh_hostkeys()

efb22e0

SSH: Add connect_ssh_transport()

7f63f2a

g0tmi1k force-pushed the ssh_mixin branch from f5f2fb4 to 548af9a Compare May 26, 2026 12:57

g0tmi1k added 2 commits May 26, 2026 14:03

SSH: report_service when host up, non-ssh service up & report_host wh…

e3560ec

…en host up, service down

SSH: Add grab_ssh_banner()

f626aff

g0tmi1k force-pushed the ssh_mixin branch from 548af9a to 3e83dea Compare May 26, 2026 13:03

g0tmi1k mentioned this pull request May 26, 2026

ssh_version: Various improvements #21393

Open

g0tmi1k force-pushed the ssh_mixin branch from 3e83dea to b9d9c5f Compare May 26, 2026 17:01

g0tmi1k added 2 commits May 26, 2026 19:32

SSH: Add report_ssh_service()

c8c178e

SSH: Add service_details()

c3c7e7c

For Msf::Auxiliary::ReportSummary and otherwise there is a ghost/phantom unnamed service entry due to infer_vuln_from_session() -> find_by_port()

g0tmi1k force-pushed the ssh_mixin branch from b9d9c5f to c3c7e7c Compare May 26, 2026 18:32

This was referenced May 26, 2026

detect_kippo -> ssh_honeypot & Add Cowrie support #21433

Open

ssh_enumusers: Update workspace #21438

Open

This was referenced May 26, 2026

SSH_Login: Various improvements #21507

Open

ssh_identify_pubkeys -> ssh_key_login #21450

Open

sshexec: Timeout & KEY_FILE support #21508

Open

ssh_key_persistence: Bug fixes #21510

Open

ssh_creds: PARSE_KNOWN_HOSTS & CRACK_KNOWN_HOSTS #21511

Open

g0tmi1k marked this pull request as ready for review May 27, 2026 06:53

g0tmi1k changed the title ~~SSH mixin: Add connect_ssh() for report_service & report_host~~ SSH mixin: New functions to help populate workspaces May 27, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSH mixin: New functions to help populate workspaces#21479

SSH mixin: New functions to help populate workspaces#21479
g0tmi1k wants to merge 8 commits into
rapid7:masterfrom
g0tmi1k:ssh_mixin

g0tmi1k commented May 19, 2026 •

edited

Loading

Uh oh!

g0tmi1k commented May 19, 2026

Uh oh!

g0tmi1k commented May 19, 2026

Uh oh!

g0tmi1k commented May 27, 2026

Uh oh!

adfoster-r7 commented Jun 2, 2026

Uh oh!

adfoster-r7 commented Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

g0tmi1k commented May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Before

After

Uh oh!

g0tmi1k commented May 19, 2026

Before

After

Uh oh!

g0tmi1k commented May 19, 2026

Before

After

Uh oh!

g0tmi1k commented May 27, 2026

Uh oh!

adfoster-r7 commented Jun 2, 2026

Uh oh!

adfoster-r7 commented Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

g0tmi1k commented May 19, 2026 •

edited

Loading