Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh_version module #18686

Merged
merged 7 commits into from
Mar 6, 2024
Merged

ssh_version module #18686

merged 7 commits into from
Mar 6, 2024

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Jan 9, 2024
edited by smcintyre-r7
Loading

fix #18685

ssh_version module does what it says. However, it would be nice if we had the ability to pull ciphers, encryption methods etc. Similar to the upgrade to ssl_version in #17149

This PR does that, it shows:

  1. ssh server fingerprint
  2. looks for encryption/hmac/kex/etc that are deprecated and prints those
  3. prints the values returned by the server related to encryption/compression/etc

Validation

  • start msfconsole
  • use auxiliary/scanner/ssh/ssh_version
  • set rhost to the docker image, or any host really that you want
  • run
  • you should see info and warnings printed.

@h00die
Copy link
Contributor Author

h00die commented Jan 9, 2024

Still need to do docs, and test on additional devices.

@jvoisin
Copy link
Contributor

jvoisin commented Jan 10, 2024

I would suggest using a map like [url => [cipher1, cipher2, cipher3, …]]` instead of copy/pasting everything :)

@h00die h00die changed the title ssh_login module ssh_version module Jan 10, 2024
@jmartin-tech
Copy link
Contributor

A passing thought, it would be nice if the data gathered and displayed here was stored even when a vuln in not found.

@h00die
Copy link
Contributor Author

h00die commented Jan 11, 2024

A passing thought, it would be nice if the data gathered and displayed here was stored even when a vuln in not found.

I'm up for suggestions. ssl_version, which this is slightly similar to only stores the cert.

@h00die h00die marked this pull request as ready for review January 11, 2024 19:56
@smcintyre-r7 smcintyre-r7 self-assigned this Feb 12, 2024
smcintyre-r7
smcintyre-r7 requested changes Feb 13, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm generally concerned about the output in a scanner module increasing from 1 line to 96 for a single host in the default condition. How would you feel about making some of the output either VERBOSE or controlled by a dedicated datastore option?

modules/auxiliary/scanner/ssh/ssh_version.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/ssh/ssh_version.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/ssh/ssh_version.rb Outdated
server_data[:encryption_server].each do |encryption|
encryption_checks.each do |encryptions, refs|
encryptions.each do |bad_enc|
next unless encryption.downcase.start_with? bad_enc
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the #start_with? check necessary here instead of a normal equality check? The reason I ask is that before of arcfour being defined in the first group, anything that starts with arcfour would be included, not just the ones that are defined. The same goes for other entries.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was done for consistency. https://datatracker.ietf.org/doc/html/rfc8732#name-deprecated-algorithms mentions gss-group1-sha1-* and it seemed like a lot of added logic for some to check starts_with and others not. However, I've switched it to be more exact.

modules/auxiliary/scanner/ssh/ssh_version.rb Outdated Show resolved Hide resolved
@h00die
Copy link
Contributor Author

h00die commented Mar 3, 2024

I made the print_good on each bad (reverse logic since pentest?) a verbose, which cuts down on output. I also added a datastore option, so I think its the best of both worlds.

@smcintyre-r7
Copy link
Contributor

@msjenkins-r7 test this please.

1 similar comment
@smcintyre-r7
Copy link
Contributor

@msjenkins-r7 test this please.

smcintyre-r7
smcintyre-r7 requested changes Mar 5, 2024
View reviewed changes
modules/auxiliary/scanner/ssh/ssh_version.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/ssh/ssh_version.rb Outdated Show resolved Hide resolved
documentation/modules/auxiliary/scanner/ssh/ssh_version.md Outdated Show resolved Hide resolved
smcintyre-r7
smcintyre-r7 approved these changes Mar 6, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything is looking good to me on this now. Thanks for all the changes you put together to improve this!

msf6 auxiliary(scanner/ssh/ssh_version) > show options 

Module options (auxiliary/scanner/ssh/ssh_version):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXTENDED_CHECKS  true             yes       Check for cryptographic issues
   RHOSTS           192.168.250.1    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT            22               yes       The target port
   THREADS          1                yes       The number of concurrent threads (max one per host)
   TIMEOUT          30               yes       Timeout for the SSH probe


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ssh/ssh_version) > run
msf6 auxiliary(scanner/ssh/ssh_version) > run

[*] 192.168.250.1 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMf2Rx2HLHYxwv3acxlS+r8ZXSwrcNb/z6YPSl4rmEs
[*] 192.168.250.1 - SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1
[*] 192.168.250.1 - Server Information and Encryption
=================================

  Type                     Value                                 Note
  ----                     -----                                 ----
  encryption.compression   none
  encryption.compression   [email protected]
  encryption.encryption    [email protected]
  encryption.encryption    aes128-ctr
  encryption.encryption    aes192-ctr
  encryption.encryption    aes256-ctr
  encryption.encryption    [email protected]
  encryption.encryption    [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          [email protected]
  encryption.hmac          hmac-sha2-256
  encryption.hmac          hmac-sha2-512
  encryption.hmac          hmac-sha1
  encryption.host_key      ssh-rsa
  encryption.host_key      ssh-dss
  encryption.host_key      ecdsa-sha2-nistp256                   Weak elliptic curve
  encryption.host_key      ssh-ed25519
  encryption.key_exchange  [email protected]
  encryption.key_exchange  ecdh-sha2-nistp256
  encryption.key_exchange  ecdh-sha2-nistp384
  encryption.key_exchange  ecdh-sha2-nistp521
  encryption.key_exchange  diffie-hellman-group-exchange-sha256
  encryption.key_exchange  diffie-hellman-group-exchange-sha1    Deprecated
  encryption.key_exchange  diffie-hellman-group14-sha1
  encryption.key_exchange  diffie-hellman-group1-sha1            Deprecated
  fingerprint_db           ssh.banner
  openssh.comment          Debian-4~bpo70+1
  os.cpe23                 cpe:/o:debian:debian_linux:7.0
  os.family                Linux
  os.product               Linux
  os.vendor                Debian
  os.version               7.0
  service.cpe23            cpe:/a:openbsd:openssh:6.6.1p1
  service.family           OpenSSH
  service.product          OpenSSH
  service.protocol         ssh
  service.vendor           OpenBSD
  service.version          6.6.1p1

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_version) > set EXTENDED_CHECKS false 
EXTENDED_CHECKS => false
msf6 auxiliary(scanner/ssh/ssh_version) > run

[*] 192.168.250.1 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMf2Rx2HLHYxwv3acxlS+r8ZXSwrcNb/z6YPSl4rmEs
[*] 192.168.250.1 - SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_version) >

@smcintyre-r7 smcintyre-r7 merged commit 23e0abe into rapid7:master Mar 6, 2024
33 of 34 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.

@h00die h00die deleted the ssh_version branch March 6, 2024 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
enhancement module rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ssh_version updates
4 participants
@h00die @jvoisin @jmartin-tech @smcintyre-r7