rapid7 · smcintyre-r7 · Mar 6, 2024 · Jan 9, 2024 · Jan 11, 2024 · Jan 11, 2024
diff --git a/documentation/modules/auxiliary/scanner/ssh/ssh_version.md b/documentation/modules/auxiliary/scanner/ssh/ssh_version.md
@@ -2,7 +2,8 @@
 
 SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.  SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
 
-This module identifies the version of SSH service in use by the server based on the server's banner. Any SSH server should return this information.
+This module identifies the version of SSH service in use by the server based on the server's banner. Any SSH server should return this information. It also identifies
+the varous cryptographic settings and vulnerabilities associated with those.
 
 ## Vulnerable Application
 
@@ -12,6 +13,20 @@ This module is tested on several different SSH services, such as:
 - `github.com`: SSH-2.0-babeld-38be96bc
 - `gitlab.com`: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
 
+### Vulnerable Ubuntu 14.04.1
+
+The following `Dockerfile` can be used to create an Ubuntu 14.04.1 image with SSH running.
+
+```
+FROM ubuntu:14.04.1
+
+RUN apt-get update && apt-get -y install --no-install-recommends openssh-server=1:6.6p1-2ubuntu1 openssh-client=1:6.6p1-2ubuntu1 openssh-sftp-server=1:6.6p1-2ubuntu1
+RUN mkdir /var/run/sshd
+EXPOSE 22
+
+CMD ["/usr/sbin/sshd","-D"]
+```
+
 ## Verification Steps
 
   1. Do: `use auxiliary/scanner/ssh/ssh_version`
@@ -22,13 +37,229 @@ This module is tested on several different SSH services, such as:
 
 ### SSH-2.0 on GitHub
 
-  ```
-msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ssh/ssh_version
+```
+msf5 > use auxiliary/scanner/ssh/ssh_version
 msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS github.com
 RHOSTS => github.com
 msf5 auxiliary(scanner/ssh/ssh_version) > run
 
-[+] 140.82.118.4:22       - SSH server version: SSH-2.0-babeld-38be96bc
-[*] github.com:22         - Scanned 1 of 1 hosts (100% complete)
+[*] 140.82.113.3 - Key Fingerprint: 65:96:2d:fc:e8:d5:a9:11:64:0c:0f:ea:00:6e:5b:bd
+[+] 140.82.113.3 - Host Key Encryption ecdsa-sha2-nistp256 uses a weak elliptic curve and should not be used.
+[*] 140.82.113.3 - SSH server version: SSH-2.0-babeld-8e18a363
+[*] 140.82.113.3 - Server Encryption
+=================
+
+  Type                Value
+  ----                -----
+  Compression         none
+  Compression         [email protected]
+  Compression         zlib
+  Encryption          [email protected]
+  Encryption          [email protected]
+  Encryption          [email protected]
+  Encryption          aes256-ctr
+  Encryption          aes192-ctr
+  Encryption          aes128-ctr
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                hmac-sha2-512
+  HMAC                hmac-sha2-256
+  Host Key            ssh-ed25519
+  Host Key            ecdsa-sha2-nistp256
+  Host Key            rsa-sha2-512
+  Host Key            rsa-sha2-256
+  Host Key            ssh-rsa
+  Key Exchange (kex)  curve25519-sha256
+  Key Exchange (kex)  [email protected]
+  Key Exchange (kex)  ecdh-sha2-nistp256
+  Key Exchange (kex)  ecdh-sha2-nistp384
+  Key Exchange (kex)  ecdh-sha2-nistp521
+  Key Exchange (kex)  diffie-hellman-group-exchange-sha256
+  Key Exchange (kex)  [email protected]
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Docker image
+
+```
+msf5 > use auxiliary/scanner/ssh/ssh_version
+msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 auxiliary(scanner/ssh/ssh_version) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/ssh/ssh_version) > run
+Calling Net::SSH::Buffer methods on HostKeyEntries PubKey is deprecated
+
+[*] 172.17.0.2 - Key Fingerprint: 49:43:e7:e8:ee:41:bb:36:83:e4:8c:2d:0a:81:dd:77
+[+] 172.17.0.2 - Encryption arcfour256 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour256 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour128 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour128 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes128-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption 3des-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption blowfish-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption cast128-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes192-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes256-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-ripemd160 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC [email protected] is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-sha1-96 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5-96 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5-96 is deprecated and should not be used.
+[+] 172.17.0.2 - Host Key Encryption ecdsa-sha2-nistp256 uses a weak elliptic curve and should not be used.
+[+] 172.17.0.2 - Key Exchange (kex) diffie-hellman-group-exchange-sha1 is deprecated and should not be used.
+[+] 172.17.0.2 - Key Exchange (kex) diffie-hellman-group1-sha1 is deprecated and should not be used.
+[*] 172.17.0.2 - SSH server version: SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
+        service.version: 6.6p1
+        openssh.comment: Ubuntu-2ubuntu1
+        service.vendor: OpenBSD
+        service.family: OpenSSH
+        service.product: OpenSSH
+        service.cpe23: cpe:/a:openbsd:openssh:6.6p1
+        os.vendor: Ubuntu
+        os.family: Linux
+        os.product: Linux
+        os.version: 14.04
+        os.cpe23: cpe:/o:canonical:ubuntu_linux:14.04
+        service.protocol: ssh
+        fingerprint_db: ssh.banner
+[*] 172.17.0.2 - Server Encryption
+=================
+
+  Type                Value
+  ----                -----
+  Compression         none
+  Compression         [email protected]
+  Encryption          aes128-ctr
+  Encryption          aes192-ctr
+  Encryption          aes256-ctr
+  Encryption          arcfour256
+  Encryption          arcfour128
+  Encryption          [email protected]
+  Encryption          [email protected]
+  Encryption          [email protected]
+  Encryption          aes128-cbc
+  Encryption          3des-cbc
+  Encryption          blowfish-cbc
+  Encryption          cast128-cbc
+  Encryption          aes192-cbc
+  Encryption          aes256-cbc
+  Encryption          arcfour
+  Encryption          [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                hmac-md5
+  HMAC                hmac-sha1
+  HMAC                [email protected]
+  HMAC                [email protected]
+  HMAC                hmac-sha2-256
+  HMAC                hmac-sha2-512
+  HMAC                hmac-ripemd160
+  HMAC                [email protected]
+  HMAC                hmac-sha1-96
+  HMAC                hmac-md5-96
+  Host Key            ssh-rsa
+  Host Key            ssh-dss
+  Host Key            ecdsa-sha2-nistp256
+  Host Key            ssh-ed25519
+  Key Exchange (kex)  [email protected]
+  Key Exchange (kex)  ecdh-sha2-nistp256
+  Key Exchange (kex)  ecdh-sha2-nistp384
+  Key Exchange (kex)  ecdh-sha2-nistp521
+  Key Exchange (kex)  diffie-hellman-group-exchange-sha256
+  Key Exchange (kex)  diffie-hellman-group-exchange-sha1
+  Key Exchange (kex)  diffie-hellman-group14-sha1
+  Key Exchange (kex)  diffie-hellman-group1-sha1
+
+[*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-  ```
+```
+
+## Confirming using NMAP
+
+Utilizing the [ssh2-enum-algos](https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html) NMAP script.
+
+```
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 14:55 EST
+Nmap scan report for 172.17.0.2
+Host is up (0.000099s latency).
+
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
+| ssh2-enum-algos: 
+|   kex_algorithms: (8)
+|       [email protected]
+|       ecdh-sha2-nistp256
+|       ecdh-sha2-nistp384
+|       ecdh-sha2-nistp521
+|       diffie-hellman-group-exchange-sha256
+|       diffie-hellman-group-exchange-sha1
+|       diffie-hellman-group14-sha1
+|       diffie-hellman-group1-sha1
+|   server_host_key_algorithms: (4)
+|       ssh-rsa
+|       ssh-dss
+|       ecdsa-sha2-nistp256
+|       ssh-ed25519
+|   encryption_algorithms: (16)
+|       aes128-ctr
+|       aes192-ctr
+|       aes256-ctr
+|       arcfour256
+|       arcfour128
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       aes128-cbc
+|       3des-cbc
+|       blowfish-cbc
+|       cast128-cbc
+|       aes192-cbc
+|       aes256-cbc
+|       arcfour
+|       [email protected]
+|   mac_algorithms: (19)
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       [email protected]
+|       hmac-md5
+|       hmac-sha1
+|       [email protected]
+|       [email protected]
+|       hmac-sha2-256
+|       hmac-sha2-512
+|       hmac-ripemd160
+|       [email protected]
+|       hmac-sha1-96
+|       hmac-md5-96
+|   compression_algorithms: (2)
+|       none
+|_      [email protected]
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
+```