Skip to content

Comments

Fix SSH Socket Channels#20953

Merged
adfoster-r7 merged 2 commits intorapid7:masterfrom
zeroSteiner:fix/ssh-socket-channels/1
Feb 11, 2026
Merged

Fix SSH Socket Channels#20953
adfoster-r7 merged 2 commits intorapid7:masterfrom
zeroSteiner:fix/ssh-socket-channels/1

Conversation

@zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Feb 10, 2026

This fixes a couple of errors in the post/test/socket_channels tests (added in #20689 for context). UDP tests are skipped because the SSH RFC doesn't support UDP channels. One TCP client test is failing, the one where binding to port 0 should allow the target to specify the port and return the value. RFC 4254 section 7.2 doesn't make any note of how the originator IP and port should be handled in this context. The way Rex::Parameters#localport is written prevents checking if port 0 was explicitly set or not. If it was explicitly set and that could be detected, an error should be thrown but that doesn't seem possible.

At this point, all the tests that should pass, are passing for SSH sessions.

Verification

  • Start msfconsole
  • use auxiliary/scanner/ssh/ssh_login to open an SSH session, make sure CreateSession is true and the target server permits the necessary forwarding options in the OpenSSH config
  • Load the test modules with loadpath test/modules
  • Run post/test/socket_channels
  • Only see the one failure "[-] FAILED: [TCP-Client] Allows binding to port 0"

Old and Broken

msf auxiliary(scanner/ssh/ssh_login) > set AutoRunScript 
AutoRunScript => post/test/socket_channels
msf auxiliary(scanner/ssh/ssh_login) > run
[*] 127.0.0.1:22          - Starting bruteforce
[*] 127.0.0.1:22 SSH - Testing User/Pass combinations
[+] 127.0.0.1:22          - Success: 'smcintyre:Password1!' 'uid=1000(smcintyre) gid=1000(smcintyre) groups=1000(smcintyre),10(wheel),967(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux fedora 6.18.8-200.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jan 30 20:23:28 UTC 2026 x86_64 GNU/Linux '
[*] Session ID 1 (?? -> ??) processing AutoRunScript 'post/test/socket_channels'
[*] Running against session 1
[*] Session type is shell and platform is linux
[*] Running TCP client channel tests...
[-] FAILED: [TCP-Client] Allows binding to port 0
[+] [TCP-Client] Has the correct peer information
[+] [TCP-Client] Receives data from the peer
[+] [TCP-Client] Sends data to the peer
[+] [TCP-Client] Propagates close events to the peer
[-] FAILED: [TCP-Client] Propagates close events from the peer
[!] UDP channels are not supported by SSH sessions.
[*] Running TCP server channel tests...
[-] [[TCP-Server] Allows binding to port 0] FAILED: [TCP-Server] Allows binding to port 0
[-] [[TCP-Server] Allows binding to port 0] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Accepts a connection] FAILED: [TCP-Server] Accepts a connection
[-] [[TCP-Server] Accepts a connection] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Has the correct peer information] FAILED: [TCP-Server] Has the correct peer information
[-] [[TCP-Server] Has the correct peer information] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Receives data from the peer] FAILED: [TCP-Server] Receives data from the peer
[-] [[TCP-Server] Receives data from the peer] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Sends data to the peer] FAILED: [TCP-Server] Sends data to the peer
[-] [[TCP-Server] Sends data to the peer] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Propagates close events to the server] FAILED: [TCP-Server] Propagates close events to the server
[-] [[TCP-Server] Propagates close events to the server] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Propagates close events to the peer] FAILED: [TCP-Server] Propagates close events to the peer
[-] [[TCP-Server] Propagates close events to the peer] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] [[TCP-Server] Propagates close events from the peer] FAILED: [TCP-Server] Propagates close events from the peer
[-] [[TCP-Server] Propagates close events from the peer] Exception: NoMethodError: undefined method `params' for an instance of Msf::Sessions::SshCommandShellBind::TcpServerChannel
[-] Passed: 4; Failed: 10; Skipped: 0
[*] SSH session 1 opened (127.0.0.1:34873 -> 127.0.0.1:22) at 2026-02-10 17:06:01 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_login) >

New and Fixed

msf auxiliary(scanner/ssh/ssh_login) > run
[*] 127.0.0.1:22          - Starting bruteforce
[*] 127.0.0.1:22 SSH - Testing User/Pass combinations
[+] 127.0.0.1:22          - Success: 'smcintyre:Password1!' 'uid=1000(smcintyre) gid=1000(smcintyre) groups=1000(smcintyre),10(wheel),967(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux fedora 6.18.8-200.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jan 30 20:23:28 UTC 2026 x86_64 GNU/Linux '
[*] Session ID 1 (?? -> ??) processing AutoRunScript 'post/test/socket_channels'
[*] Running against session 1
[*] Session type is shell and platform is linux
[*] Running TCP client channel tests...
[-] FAILED: [TCP-Client] Allows binding to port 0
[+] [TCP-Client] Has the correct peer information
[+] [TCP-Client] Receives data from the peer
[+] [TCP-Client] Sends data to the peer
[+] [TCP-Client] Propagates close events to the peer
[+] [TCP-Client] Propagates close events from the peer
[!] UDP channels are not supported by SSH sessions.
[*] Running TCP server channel tests...
[+] [TCP-Server] Allows binding to port 0
[+] [TCP-Server] Accepts a connection
[+] [TCP-Server] Has the correct peer information
[+] [TCP-Server] Receives data from the peer
[+] [TCP-Server] Sends data to the peer
[+] [TCP-Server] Propagates close events to the server
[+] [TCP-Server] Propagates close events to the peer
[+] [TCP-Server] Propagates close events from the peer
[-] Passed: 13; Failed: 1; Skipped: 0
[*] SSH session 1 opened (127.0.0.1:41345 -> 127.0.0.1:22) at 2026-02-10 16:51:25 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Feb 11, 2026
@adfoster-r7 adfoster-r7 merged commit 877d2d8 into rapid7:master Feb 11, 2026
45 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Feb 11, 2026
@adfoster-r7 adfoster-r7 added the rn-fix release notes fix label Feb 11, 2026
@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Feb 11, 2026

Release Notes

Improves the stability of socket channeling support for SSH sessions opened via scanner/ssh/ssh_login

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 approved these changes

Assignees

No one assigned

Labels

rn-fix release notes fix

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zeroSteiner @adfoster-r7