nikit0s/brutus
1
0
Fork 0
mirror of https://github.com/praetorian-inc/brutus.git synced 2026-06-20 09:27:34 +00:00
Code Issues Projects Releases Packages Wiki Activity
Page: Bad Keys
Pages
Architecture Bad Keys Configuration Home LLM Analyzers Pipeline Integration Plugins Wordlists and Defaults
1 Bad Keys
nsportsman edited this page 2026-02-12 14:17:42 -06:00
Table of Contents

Bad Keys

Navigation: Home | Plugins | LLM Analyzers | Wordlists and Defaults | Configuration | Pipeline Integration | Architecture

Overview

Brutus embeds a collection of known SSH private keys that are used as defaults in various software and hardware products. These keys are compiled into the binary via Go's go:embed directive, enabling zero-dependency key testing with no external files needed.

Sources:

Embedded Key Collection

Key Name Product CVE Default User Default Port Description
vagrant Vagrant -- vagrant 22 HashiCorp Vagrant insecure private key for base boxes
vagrant-default Vagrant -- root 22 Vagrant default insecure key (rapid7 collection)
f5-bigip-cve-2012-1493 F5 BIG-IP CVE-2012-1493 root 22 Static root SSH host key in F5 load balancers
exagrid-cve-2016-1561 ExaGrid CVE-2016-1561 root 22 Backdoor SSH key in ExaGrid backup appliances
barracuda_load_balancer_vm Barracuda CVE-2014-8428 cluster 8002 Static key for cluster management
ceragon-fibeair-cve-2015-0936 Ceragon FibeAir CVE-2015-0936 mateidu 22 Hardcoded key in wireless backhaul devices
monroe-dasdec-cve-2013-0137 Monroe DASDEC CVE-2013-0137 root 22 Hardcoded key in emergency alert systems
array-networks-vapv-vxag Array Networks -- sync 22 Static key in vAPV/vxAG virtual appliances
quantum-dxi-v1000 Quantum DXi -- root 22 Static root key in deduplication appliances
loadbalancer.org-enterprise-va Loadbalancer.org -- root 22 Static key in Enterprise VA 7.5.2 and earlier

Username Expansion

Each key is paired with its primary default username, plus additional usernames that may work:

Product Primary User Additional Users
Vagrant vagrant root, ubuntu, centos, ec2-user, admin
ExaGrid root admin, support
F5 BIG-IP root admin
Barracuda cluster root, admin
Array Networks sync root, admin
Ceragon mateidu root, admin
Loadbalancer.org root loadbalancer, admin
Monroe DASDEC root dasdec, admin
Quantum DXi root admin, service

Usage

CLI

# Test all embedded bad keys against a single target
brutus -target 192.168.1.100:22 -protocol ssh --badkeys

# Combine with pipeline for network-wide key testing
naabu -host 10.0.0.0/24 -p 22 -silent | fingerprintx | brutus --stdin --badkeys

# Combine bad keys with custom usernames
brutus -target 192.168.1.100:22 -protocol ssh --badkeys -u root,admin,vagrant

Library API

import "github.com/praetorian-inc/brutus/pkg/badkeys"

// Get all SSH key credentials
creds := badkeys.GetSSHCredentials()

// Get expanded credentials (all username:key combinations)
expanded := badkeys.GetExpandedSSHCredentials()

// Filter by product
vagrantCreds := badkeys.GetCredentialsByProduct("vagrant")

// Filter by CVE
f5Creds := badkeys.GetCredentialsByCVE("CVE-2012-1493")

// Get just the raw private keys
keys := badkeys.GetKeys()

// Get all unique usernames
usernames := badkeys.GetUsernames()

// Get a specific key by name
key, ok := badkeys.GetKeyByName("f5-bigip-cve-2012-1493")

// List all available key names
names := badkeys.ListKeys()

// Get collection statistics
stats := badkeys.GetStats()
fmt.Printf("Keys: %d, Products: %d, CVEs: %d\n",
    stats.TotalKeys, stats.TotalProducts, stats.KeysWithCVE)

SSHCredential Type

type SSHCredential struct {
    Name        string  // Human-readable identifier (e.g., "vagrant-default")
    Username    string  // Associated default username
    Key         []byte  // Raw PEM-encoded private key
    Product     string  // Vendor/product identifier
    CVE         string  // CVE identifier (empty if none)
    Description string  // Context about where this key is found
    DefaultPort int     // Typical SSH port (usually 22)
}

Implementation Details

Keys are embedded at compile time using Go's embed package:

//go:embed keys/rapid7/*.key keys/vagrant/*.key
var keysFS embed.FS

This means:

  • No external files needed -- keys are part of the binary
  • No file system access required -- works in containers, airgapped environments
  • Tamper-resistant -- keys cannot be modified at runtime

Use Cases

Network-Wide Key Spraying

naabu -host 10.0.0.0/8 -p 22 -rate 1000 -silent | \
  fingerprintx | \
  brutus --stdin --badkeys --json -o ssh-key-findings.json

Compliance Auditing

brutus --stdin --badkeys --json < targets.txt | \
  jq 'select(.success)' > compliance-violations.json

Navigation: Home | Plugins | LLM Analyzers | Wordlists and Defaults | Configuration | Pipeline Integration | Architecture