network-utility 1.1.61 → 2.0.0

data/document/telnet.md

@@ -209,6 +209,17 @@ module NE5000E_20
 end
 ```
 
+```ruby
+@sign << ['VNE9000', 'telnet']
+
+module VNE9000
+  def setting
+    @selectors = {"  ---- More ----"=>' ',"Are you sure to display some information?(Y/N)[Y]:"=>'y'}
+    @erasers << "  ---- More ----" << "                " << " \x1b[1D" << "                "
+  end
+end
+```
+
 ```ruby
 @sign << ['NE8000E-X8', 'telnet']
 

data/network.rb

@@ -11,7 +11,10 @@
 ].each{|mod|require "utility/#{mod}"}
 
 [
-  'snmp'
+  'ssh/2310/detector/ssh_native_detector',
+  'ssh/2310/detector/ssh_detector_final',
+  'ssh/2310/detector/ssh_detector',
+  'snmp/snmp'
 ].each{|mod|require "support/#{mod}"}
 
 [
@@ -23,5 +26,5 @@
 ].each{|mod|require mod}
 
 module Network
-  VERSION = '1.1.61'
+  VERSION = '2.0.0'
 end

data/support/ssh/2310/detector/ssh_detector.rb

@@ -0,0 +1,259 @@
+#!/usr/bin/env ruby
+# SSH协议检测器 - 探测对端支持的算法套件
+# 依赖: gem install net-ssh
+
+require 'net/ssh'
+require 'net/ssh/transport/session'
+require 'socket'
+require 'timeout'
+
+class SSHProtocolDetector
+  attr_reader :host, :port, :results
+
+  # 已知的算法分类
+  KEX_ALGORITHMS = [
+    "curve25519-sha256", "curve25519-sha256@libssh.org",
+    "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521",
+    "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512",
+    "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256",
+    "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1",
+    "kex-strict-s-v00@openssh.com"
+  ].freeze
+
+  CIPHER_ALGORITHMS = [
+    "chacha20-poly1305@openssh.com",
+    "aes256-gcm@openssh.com", "aes128-gcm@openssh.com",
+    "aes256-ctr", "aes192-ctr", "aes128-ctr",
+    "aes256-cbc", "aes192-cbc", "aes128-cbc",
+    "3des-cbc", "blowfish-cbc", "cast128-cbc",
+    "arcfour", "arcfour128", "arcfour256"
+  ].freeze
+
+  MAC_ALGORITHMS = [
+    "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com",
+    "hmac-sha1-etm@openssh.com",
+    "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1",
+    "hmac-md5", "hmac-md5-96", "hmac-sha1-96",
+    "umac-64-etm@openssh.com", "umac-128-etm@openssh.com",
+    "umac-64@openssh.com", "umac-128@openssh.com"
+  ].freeze
+
+  HOST_KEY_ALGORITHMS = [
+    "ssh-ed25519", "ssh-ed25519-cert-v01@openssh.com",
+    "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521",
+    "rsa-sha2-512", "rsa-sha2-256",
+    "ssh-rsa", "ssh-dss"
+  ].freeze
+
+  COMPRESSION_ALGORITHMS = [
+    "none", "zlib@openssh.com", "zlib"
+  ].freeze
+
+  def initialize(host, port = 22, timeout = 10)
+    @host = host
+    @port = port
+    @timeout = timeout
+    @results = {}
+  end
+
+  # 主检测方法
+  def detect
+    puts "🔍 正在检测 SSH 协议支持: #{@host}:#{@port}"
+    puts "=" * 60
+
+    # 1. 基础连通性检测
+    return false unless check_connectivity
+
+    # 2. 获取Banner信息
+    fetch_banner
+
+    # 3. 使用Net::SSH探测算法
+    probe_algorithms
+
+    # 4. 详细握手分析
+    analyze_handshake
+
+    display_results
+    true
+  rescue => e
+    puts "❌ 检测失败: #{e.message}"
+    false
+  end
+
+  private
+
+  # 检查TCP连通性
+  def check_connectivity
+    Timeout::timeout(@timeout) do
+      TCPSocket.new(@host, @port).close
+    end
+    puts "✅ TCP连接正常"
+    true
+  rescue => e
+    puts "❌ 无法连接到 #{@host}:#{@port} - #{e.message}"
+    false
+  end
+
+  # 获取SSH Banner
+  def fetch_banner
+    socket = TCPSocket.new(@host, @port)
+    banner = socket.gets&.chomp
+    socket.close
+
+    @results[:banner] = banner
+    puts "📢 SSH Banner: #{banner}"
+
+    # 解析版本
+    if banner =~ /SSH-(\d+\.\d+)-(.+)/
+      @results[:protocol_version] = $1
+      @results[:software_version] = $2
+    end
+  rescue => e
+    puts "⚠️  获取Banner失败: #{e.message}"
+  end
+
+  # 探测支持的算法
+  def probe_algorithms
+    puts "\n🔬 正在探测算法支持..."
+
+    begin
+      # 创建临时SSH会话获取算法列表
+      session = Net::SSH::Transport::Session.new(
+        @host,
+        port: @port,
+        timeout: @timeout,
+        # 提供所有可能的算法进行协商
+        kex: KEX_ALGORITHMS,
+        host_key: HOST_KEY_ALGORITHMS,
+        encryption: CIPHER_ALGORITHMS,
+        hmac: MAC_ALGORITHMS,
+        compression: COMPRESSION_ALGORITHMS,
+        # 不验证主机密钥，仅探测
+        paranoid: false,
+        verify_host_key: :never,
+        # 使用空认证，仅完成KEX
+        auth_methods: ['none']
+      )
+
+      # 获取协商后的算法
+      algorithms = session.algorithms
+
+      @results[:negotiated] = {
+        kex: algorithms.kex,
+        host_key: algorithms.host_key,
+        encryption_client: algorithms.encryption[:client],
+        encryption_server: algorithms.encryption[:server],
+        mac_client: algorithms.hmac[:client],
+        mac_server: algorithms.hmac[:server],
+        compression_client: algorithms.compression[:client],
+        compression_server: algorithms.compression[:server]
+      }
+
+      session.close
+    rescue Net::SSH::AuthenticationFailed
+      # 认证失败是正常的，说明KEX已完成
+      puts "✅ 密钥交换成功 (认证阶段被拒绝)"
+    rescue => e
+      puts "⚠️  算法探测警告: #{e.message}"
+    end
+  end
+
+  # 深度握手分析
+  def analyze_handshake
+    puts "\n🔍 分析密钥交换详情..."
+
+    socket = TCPSocket.new(@host, @port)
+
+    # 发送我们的Banner
+    socket.write("SSH-2.0-RubyDetector_1.0\r\n")
+
+    # 读取服务器Banner
+    banner = socket.gets
+    puts "   服务器回应: #{banner&.chomp}"
+
+    socket.close
+  rescue => e
+    puts "⚠️  握手分析受限: #{e.message}"
+  end
+
+  # 显示结果
+  def display_results
+    puts "\n" + "=" * 60
+    puts "📊 检测结果汇总"
+    puts "=" * 60
+
+    if @results[:protocol_version]
+      puts "\n🌐 协议版本: SSH-#{@results[:protocol_version]}"
+      puts "🖥️  软件版本: #{@results[:software_version]}"
+    end
+
+    if @results[:negotiated]
+      neg = @results[:negotiated]
+      puts "\n🤝 协商成功的算法组合:"
+      puts "   密钥交换: #{neg[:kex]}"
+      puts "   主机密钥: #{neg[:host_key]}"
+      puts "   加密算法(客户端→服务端): #{neg[:encryption_client]}"
+      puts "   加密算法(服务端→客户端): #{neg[:encryption_server]}"
+      puts "   MAC算法(客户端→服务端): #{neg[:mac_client]}"
+      puts "   MAC算法(服务端→客户端): #{neg[:mac_server]}"
+      puts "   压缩(客户端→服务端): #{neg[:compression_client]}"
+      puts "   压缩(服务端→客户端): #{neg[:compression_server]}"
+    end
+
+    puts "\n🔐 安全建议:"
+    check_security
+  end
+
+  # 安全检查
+  def check_security
+    neg = @results[:negotiated]
+    return unless neg
+
+    # 检查弱算法
+    weak_kex = ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
+    weak_cipher = ["3des-cbc", "blowfish-cbc", "cast128-cbc", "arcfour", "arcfour128", "arcfour256", "aes256-cbc", "aes192-cbc", "aes128-cbc"]
+    weak_mac = ["hmac-md5", "hmac-md5-96", "hmac-sha1-96"]
+
+    warnings = []
+
+    if weak_kex.include?(neg[:kex])
+      warnings << "⚠️  使用弱密钥交换算法: #{neg[:kex]}"
+    end
+
+    if weak_cipher.include?(neg[:encryption_client]) || weak_cipher.include?(neg[:encryption_server])
+      warnings << "⚠️  使用弱加密算法"
+    end
+
+    if weak_mac.include?(neg[:mac_client]) || weak_mac.include?(neg[:mac_server])
+      warnings << "⚠️  使用弱MAC算法"
+    end
+
+    if warnings.empty?
+      puts "   ✅ 算法配置安全"
+    else
+      warnings.each { |w| puts "   #{w}" }
+    end
+
+    # 推荐配置
+    puts "\n💡 推荐算法:"
+    puts "   KEX: curve25519-sha256, ecdh-sha2-nistp521"
+    puts "   Cipher: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com"
+    puts "   MAC: hmac-sha2-256-etm@openssh.com"
+  end
+end
+
+# 命令行接口
+if __FILE__ == $0
+  if ARGV.empty?
+    puts "用法: ruby ssh_detector.rb <host> [port]"
+    puts "示例: ruby ssh_detector.rb github.com"
+    puts "       ruby ssh_detector.rb 192.168.1.1 2222"
+    exit 1
+  end
+
+  host = ARGV[0]
+  port = (ARGV[1] || 22).to_i
+
+  detector = SSHProtocolDetector.new(host, port)
+  detector.detect
+end

data/support/ssh/2310/detector/ssh_detector_final.rb

@@ -0,0 +1,273 @@
+#!/usr/bin/env ruby
+# SSH协议检测器 (简化实用版)
+# 功能: 检测SSH服务器支持的KEX/Cipher/MAC/HostKey算法
+# 协议: 实现SSH-TRANS传输层协议 (RFC 4253)
+
+require 'socket'
+require 'timeout'
+
+class SSHDetector
+  # SSH消息类型
+  SSH_MSG_KEXINIT = 20
+
+  # 测试用的算法列表
+  TEST_ALGORITHMS = {
+    kex: "curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512",
+    host_key: "ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
+    cipher: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr",
+    mac: "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512",
+    compression: "none,zlib@openssh.com"
+  }
+
+  def initialize(host, port = 22)
+    @host = host
+    @port = port
+    @socket = nil
+  end
+
+  def detect
+    puts "\n🔍 SSH协议检测: #{@host}:#{@port}"
+    puts "=" * 60
+
+    connect
+    banner = exchange_banner
+    kex_data = perform_kex_init
+
+    if kex_data
+      display_results(banner, kex_data)
+    else
+      puts "❌ 无法完成密钥交换"
+    end
+  rescue => e
+    puts "❌ 错误: #{e.message}"
+  ensure
+    @socket&.close
+  end
+
+  private
+
+  def connect
+    @socket = TCPSocket.new(@host, @port)
+    puts "✅ TCP连接成功"
+  end
+
+  def exchange_banner
+    # 发送客户端Banner
+    @socket.write("SSH-2.0-RubyDetector_1.0\r\n")
+
+    # 读取服务器Banner
+    banner = @socket.gets&.chomp
+    puts "📢 服务器Banner: #{banner}"
+
+    # 检查版本
+    if banner =~ /SSH-(\d+\.\d+)-(.+)/
+      version = $1
+      software = $2
+      puts "   协议版本: SSH-#{version}"
+      puts "   软件版本: #{software}"
+
+      if version.start_with?("1.")
+        puts "⚠️  警告: 服务器支持SSH v1（不安全）"
+      end
+    end
+
+    banner
+  end
+
+  def perform_kex_init
+    puts "\n🔬 执行密钥交换探测..."
+
+    # 构造KEX_INIT包
+    send_kex_init
+
+    # 接收服务器KEX_INIT
+    payload = recv_packet
+    return nil unless payload
+
+    # 解析算法列表
+    parse_kex_init(payload)
+  end
+
+  def send_kex_init
+    # 构造KEXINIT payload
+    payload = [SSH_MSG_KEXINIT].pack("C")  # 消息类型
+    payload += "\x00" * 16  # cookie (16字节随机，这里简化)
+
+    # 添加算法列表 (name-list: uint32长度 + 字符串)
+    TEST_ALGORITHMS.each do |_, algos|
+      payload += [algos.length].pack("N") + algos
+    end
+
+    # 语言列表 (空)
+    payload += [0].pack("N")  # languages_client_to_server
+    payload += [0].pack("N")  # languages_server_to_client
+    payload += [0].pack("C")  # first_kex_packet_follows = false
+    payload += [0].pack("N")  # 保留
+
+    # 包装成SSH包
+    send_packet(payload)
+  end
+
+  def send_packet(payload)
+    block_size = 8
+    min_padding = 4
+
+    payload_len = payload.length
+    padding_len = block_size - ((payload_len + 5) % block_size)
+    padding_len += block_size if padding_len < min_padding
+
+    packet_len = payload_len + padding_len + 1
+    packet = [packet_len].pack("N")
+    packet += [padding_len].pack("C")
+    packet += payload
+    packet += "\x00" * padding_len
+
+    @socket.write(packet)
+  end
+
+  def recv_packet
+    # 读取包长度
+    len_bytes = @socket.read(4)
+    return nil unless len_bytes && len_bytes.length == 4
+
+    packet_len = len_bytes.unpack1("N")
+    return nil if packet_len > 35000
+
+    # 读取包内容
+    packet = @socket.read(packet_len)
+    return nil unless packet && packet.length == packet_len
+
+    # 解析: padding_len(1) + payload + padding
+    padding_len = packet[0].unpack1("C")
+    packet[1..-(padding_len+1)]
+  end
+
+  def parse_kex_init(payload)
+    return nil if payload.nil? || payload.empty?
+
+    msg_type = payload[0].unpack1("C")
+    return nil unless msg_type == SSH_MSG_KEXINIT
+
+    # 跳过16字节cookie
+    offset = 17
+
+    # 读取name-list的辅助函数
+    read_list = lambda {
+      return nil if offset + 4 > payload.length
+      len = payload[offset, 4].unpack1("N")
+      offset += 4
+      return nil if offset + len > payload.length
+      str = payload[offset, len]
+      offset += len
+      str.split(",")
+    }
+
+    {
+      kex: read_list.call,
+      host_key: read_list.call,
+      cipher_c2s: read_list.call,
+      cipher_s2c: read_list.call,
+      mac_c2s: read_list.call,
+      mac_s2c: read_list.call,
+      compress_c2s: read_list.call,
+      compress_s2c: read_list.call
+    }
+  end
+
+  def display_results(banner, data)
+    puts "\n" + "=" * 60
+    puts "📊 检测结果"
+    puts "=" * 60
+
+    puts "\n🔑 密钥交换算法 (KEX) - #{data[:kex]&.length || 0}种:"
+    data[:kex]&.each_slice(4) { |slice| puts "   • #{slice.join(' • ')}" }
+
+    puts "\n🔐 主机密钥算法 (Host Key) - #{data[:host_key]&.length || 0}种:"
+    data[:host_key]&.each_slice(4) { |slice| puts "   • #{slice.join(' • ')}" }
+
+    puts "\n🔒 加密算法 (Cipher) - #{data[:cipher_c2s]&.length || 0}种:"
+    data[:cipher_c2s]&.each_slice(3) { |slice| puts "   • #{slice.join(' • ')}" }
+
+    puts "\n📝 MAC算法 - #{data[:mac_c2s]&.length || 0}种:"
+    data[:mac_c2s]&.each_slice(3) { |slice| puts "   • #{slice.join(' • ')}" }
+
+    puts "\n📦 压缩算法 - #{data[:compress_c2s]&.length || 0}种:"
+    puts "   • #{data[:compress_c2s]&.join(' • ')}"
+
+    # 安全分析
+    analyze_security(data)
+
+    puts "\n📋 SSH协议栈结构:"
+    puts "   ┌─────────────────────────────────────┐"
+    puts "   │  SSH-CONN (连接层) - 端口转发/会话   │"
+    puts "   ├─────────────────────────────────────┤"
+    puts "   │  SSH-AUTH (认证层) - 用户认证         │"
+    puts "   ├─────────────────────────────────────┤"
+    puts "   │  SSH-TRANS (传输层)                  │"
+    puts "   │  ├── KEX: #{data[:kex]&.first || 'N/A'}"[0..50]
+    puts "   │  ├── Cipher: #{data[:cipher_c2s]&.first || 'N/A'}"[0..50]
+    puts "   │  ├── MAC: #{data[:mac_c2s]&.first || 'N/A'}"[0..50]
+    puts "   │  └── Compression: #{data[:compress_c2s]&.first || 'none'}"[0..50]
+    puts "   └─────────────────────────────────────┘"
+  end
+
+  def analyze_security(data)
+    puts "\n🔐 安全分析:"
+
+    weak_algos = {
+      "diffie-hellman-group1-sha1" => "使用SHA1的DH组1（非常弱）",
+      "diffie-hellman-group14-sha1" => "使用SHA1的DH组14",
+      "3des-cbc" => "3DES加密（慢且不安全）",
+      "blowfish-cbc" => "Blowfish（已废弃）",
+      "arcfour" => "RC4（严重不安全）",
+      "hmac-md5" => "MD5哈希（不安全）",
+      "hmac-sha1" => "SHA1（考虑升级）"
+    }
+
+    issues = []
+    all_algos = (data[:kex] || []) + (data[:cipher_c2s] || []) + (data[:mac_c2s] || [])
+
+    weak_algos.each do |algo, desc|
+      if all_algos.any? { |a| a.include?(algo) }
+        issues << "⚠️  发现弱算法 #{algo}: #{desc}"
+      end
+    end
+
+    if issues.empty?
+      puts "   ✅ 未发现明显的弱算法"
+    else
+      issues.each { |i| puts "   #{i}" }
+    end
+
+    # 推荐
+    puts "\n💡 推荐配置:"
+    puts "   KEX: curve25519-sha256, ecdh-sha2-nistp521"
+    puts "   Cipher: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com"
+    puts "   MAC: hmac-sha2-256-etm@openssh.com"
+  end
+end
+
+# 命令行入口
+if __FILE__ == $0
+  if ARGV.empty?
+    puts "SSH协议检测器 (Ruby实现)"
+    puts "=" * 50
+    puts "用法: ruby ssh_detector.rb <主机> [端口]"
+    puts ""
+    puts "示例:"
+    puts "  ruby ssh_detector.rb github.com"
+    puts "  ruby ssh_detector.rb 192.168.1.100 2222"
+    puts ""
+    puts "说明:"
+    puts "  • 实现SSH-TRANS传输层协议 (RFC 4253)"
+    puts "  • 探测KEX/Cipher/MAC/HostKey算法支持"
+    puts "  • 识别弱算法和安全风险"
+    puts "  • 无需外部gem依赖"
+    exit 1
+  end
+
+  host = ARGV[0]
+  port = (ARGV[1] || 22).to_i
+
+  SSHDetector.new(host, port).detect
+end