ssh

Execute commands on a remote host via SSH.

Note

This command caches all settings so that they only need to be defined once.

Background mode with a session is not supported for this commands.

vars:
  $SERVER_ADDRESS: 192.42.0.254
  $SSH_SERVER: 10.10.10.19

commands:
  # Establish a new connection and create a named session:
  - type: ssh
    cmd: nmap $SERVER_ADDRESS
    hostname: $SSH_SERVER
    username: aecid
    key_filename: "/home/alice/.ssh/id_rsa"
    creates_session: attacker

  # Reuses cached settings, opens a new connection:
  - type: ssh
    cmd: echo $SERVER_ADDRESS

  # Reuses the existing "attacker" session:
  - type: ssh
    session: attacker
    cmd: id

Connection

hostname

Hostname or IP address of the remote SSH server.

Type:: str

port

Port to connect to on the remote host.

Type:: int
Default:: 22

username

Username to authenticate as on the remote host.

Type:: str

password

Password for authentication. An alternative is to use key_filename.

Type:: str

key_filename

Path to a private key file for authentication.

Type:: str

passphrase

Passphrase to decrypt key_filename, if the key is passphrase-protected.

Type:: str

timeout

Timeout in seconds for connection attempts.

Type:: float
Default:: 60
Required:: False

disabled_algorithms

Mapping of algorithm categories to lists of algorithm names that paramiko should not offer during negotiation. Useful when connecting to legacy SSH servers that reject newer algorithm variants.

Type:: dict[str, list[str]]
Default:: None
Required:: False

The most common use case is forcing plain ssh-rsa when the server (e.g. OpenSSH 4.7) does not support the rsa-sha2-256 / rsa-sha2-512 variants that modern paramiko prefers:

commands:
  - type: ssh
    cmd: id
    hostname: $METASPLOITABLE2
    username: root
    key_filename: /tmp/backdoor_key
    disabled_algorithms:
      pubkeys:
        - rsa-sha2-256
        - rsa-sha2-512

clear_cache

Clear all cached connection settings before this command runs, allowing a fresh connection to be configured. (Normally all settings for ssh-connections are cached. This allows to define all settings in one command and reuse them in the following commands without having to redefine them)

Type:: bool
Default:: False
Required:: False

Sessions

creates_session

Name to assign to the session opened by this command. Can be reused in subsequent commands via session.

Type:: str

session

Name of an existing session to reuse. The session must have been created previously via creates_session.

Type:: str

Jump Host

jmp_hostname

Hostname or IP address of an SSH jump host to tunnel through.

Type:: str

jmp_port

Port to connect to on the jump host.

Type:: int
Default:: 22

jmp_username

Username to authenticate as on the jump host.

Type:: str
Default:: same as username

Interactive Mode

interactive

Run the command in interactive mode.

Type:: bool
Default:: False
Required:: False

Instead of waiting for the command to finish, AttackMate reads output until no new output appears for command_timeout seconds, or until the output ends with one of the strings in prompts.

Useful for commands that require keystroke input (e.g. opening vim and then sending keystrokes in a follow-up command).

Warning

Commands executed in interactive mode MUST end with a newline character (\n).

vars:
  $SERVER_ADDRESS: 192.42.0.254
  $SSH_SERVER: 10.10.10.19

commands:
  # Open nmap in interactive mode and create a session:
  - type: ssh
    cmd: "nmap --interactive\n"
    interactive: True
    hostname: $SSH_SERVER
    username: aecid
    key_filename: "/home/alice/.ssh/id_rsa"
    creates_session: attacker

  # Send a command to the open interactive session:
  - type: ssh
    cmd: "!sh\n"
    interactive: True
    session: attacker

command_timeout

Seconds to wait for new output before stopping in interactive mode.

Type:: int
Default:: 15
Required:: False

prompts

List of strings that signal the end of output in interactive mode. When the output ends with any of these strings, AttackMate stops reading immediately without waiting for the timeout. Set to an empty list to disable prompt detection.

Type:: list[str]
Default:: ["$ ", "# ", "> "]
Required:: False

commands:
  # Custom prompt list:
  - type: ssh
    cmd: "nmap --interactive\n"
    interactive: True
    prompts:
      - "$ "
      - "# "
      - "> "
      - "% "
    hostname: $SSH_SERVER
    username: aecid
    key_filename: "/home/alice/.ssh/id_rsa"
    creates_session: attacker

vars:
  $SSH_SERVER: 10.10.10.19
  # Disable prompt detection entirely:
  - type: ssh
    cmd: "id\n"
    interactive: True
    prompts: []
    hostname: $SSH_SERVER
    username: aecid
    password: password
    creates_session: attacker

Binary Mode

bin

Enable binary mode. In this mode, cmd must be a hex-encoded string representing the raw bytes to send.

Type:: bool
Default:: False
Required:: False

commands:
  # "6964" is the hex encoding of "id":
  - type: ssh
    cmd: "6964"
    bin: True
    hostname: $SSH_SERVER
    username: aecid
    key_filename: "/home/alice/.ssh/id_rsa"