ssh_scan 0.0.13 → 0.0.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 33f1febf216b8836861940688f4da101debe78cc
-  data.tar.gz: 2b0661596cfd440cbb46c7abac8b3de76443b906
+  metadata.gz: 3d541b6a665e8adbd86013e68cea159cb42a514b
+  data.tar.gz: cbbb3ba9b9e169091ca8db560ccfb06780781f39
 SHA512:
-  metadata.gz: ddd8614a94d51f8e0f77c1c82fff0a480634de65a35f6fb30b1969282c81f1b9c035649e47d66f717421f34c6257364cbb77327cbe8495cbd27ea65dd9fa74ea
-  data.tar.gz: 4cffdf417580c5e11dc7b7e6b7ad17e6014c0cc31f02728728e9f317ecec0d295cb7f46f1045b4fac0b5c0c38a59062f0e441bbbf851a1c88c39be9f18eb3ade
+  metadata.gz: 70218de598e768b46841299ebe891980ece0080792d2eac5fcf8d879e13c15c841a817bbf148968cf6ec2117d232c80c7f676eada7b1d812014109bfe5b31c34
+  data.tar.gz: e1fe1bdb16ea13623741607d54e3102af8a4e26c0b94adaebbbc90736c5587a3b2b427057e866cf73e3a66ec7cb58c52a67f6f9ec39a196f6e3cd0bb3c35bb95

data/lib/ssh_scan/client.rb

@@ -28,6 +28,9 @@ module SSHScan
       rescue Errno::ENETUNREACH => e
         @error = SSHScan::Error::ConnectionRefused.new(e.message)
         @sock = nil
+       rescue Errno::ECONNRESET => e
+        @error = SSHScan::Error::ConnectionRefused.new(e.message)
+        @sock = nil
       rescue Errno::EACCES => e
         @error = SSHScan::Error::ConnectionRefused.new(e.message)
         @sock = nil
@@ -61,7 +64,7 @@ module SSHScan
       end
 
       # Assemble and print results
-      result[:server_banner] = @server_banner
+      result[:server_banner] = @server_banner.to_s
       result[:ssh_version] = @server_banner.ssh_version
       result[:os] = @server_banner.os_guess.common
       result[:os_cpe] = @server_banner.os_guess.cpe
@@ -76,7 +79,7 @@ module SSHScan
         @sock = nil
         return result
       end
-      
+
       resp += @sock.read(resp.unpack("N").first)
       @sock.close
 

data/lib/ssh_scan/crypto.rb

@@ -0,0 +1,38 @@
+require 'openssl'
+
+module SSHScan
+  module Crypto
+    class PublicKey
+      def initialize(key)
+        @key = key
+        @supported = check_supported
+        if @key.is_a?(OpenSSL::PKey::RSA)
+          @data_string = OpenSSL::ASN1::Sequence([
+           OpenSSL::ASN1::Integer.new(@key.public_key.n),
+           OpenSSL::ASN1::Integer.new(@key.public_key.e)
+          ])
+        end
+      end
+
+      def check_supported
+        @key and @key.is_a?(OpenSSL::PKey::RSA)
+      end
+
+      def is_supported?
+        @supported
+      end
+
+      def fingerprint_md5
+        OpenSSL::Digest::MD5.hexdigest(@data_string.to_der).scan(/../).join(':')
+      end
+
+      def fingerprint_sha1
+        OpenSSL::Digest::SHA1.hexdigest(@data_string.to_der).scan(/../).join(':')
+      end
+
+      def fingerprint_sha256
+        OpenSSL::Digest::SHA256.hexdigest(@data_string.to_der).scan(/../).join(':')
+      end
+    end
+  end
+end

data/lib/ssh_scan/policy.rb

@@ -2,7 +2,7 @@ require 'yaml'
 
 module SSHScan
   class Policy
-    attr_reader :name, :kex, :macs, :encryption, :compression, :references, :auth_methods
+    attr_reader :name, :kex, :macs, :encryption, :compression, :references, :auth_methods, :ssh_version
 
     def initialize(opts = {})
       @name = opts['name'] || []
@@ -12,6 +12,7 @@ module SSHScan
       @compression = opts['compression'] || []
       @references = opts['references'] || []
       @auth_methods = opts['auth_methods'] || []
+      @ssh_version = opts['ssh_version'] || false
     end
 
     def self.from_file(file)

data/lib/ssh_scan/policy_manager.rb

@@ -104,6 +104,16 @@ module SSHScan
       return outliers
     end
 
+    def out_of_policy_ssh_version
+      target_ssh_version = @result[:ssh_version]
+      if @policy.ssh_version
+        if target_ssh_version < @policy.ssh_version
+          return true
+        end
+      end
+      return false
+    end
+
     def compliant?
       out_of_policy_encryption.empty? &&
       out_of_policy_macs.empty? &&
@@ -113,7 +123,8 @@ module SSHScan
       missing_policy_macs.empty? &&
       missing_policy_kex.empty? &&
       missing_policy_compression.empty? &&
-      out_of_policy_auth_methods.empty?
+      out_of_policy_auth_methods.empty? &&
+      out_of_policy_ssh_version
     end
 
     def recommendations
@@ -131,6 +142,10 @@ module SSHScan
       recommendations << "Remove these Encryption Ciphers: #{out_of_policy_encryption.join(", ")}" unless out_of_policy_encryption.empty?
       recommendations << "Remove these Compression Algos: #{out_of_policy_compression.join(", ")}" unless out_of_policy_compression.empty?
       recommendations << "Remove these Authentication Methods: #{out_of_policy_auth_methods.join(", ")}" unless out_of_policy_auth_methods.empty?
+
+      # Update these items to be compliant
+      recommendations << "Update your ssh version to: #{@policy.ssh_version}" if out_of_policy_ssh_version
+
       return recommendations
     end
 

data/lib/ssh_scan/scan_engine.rb

@@ -1,5 +1,6 @@
 require 'socket'
 require 'ssh_scan/client'
+require 'ssh_scan/crypto'
 require 'net/ssh'
 
 module SSHScan
@@ -14,6 +15,8 @@ module SSHScan
       timeout = opts[:timeout]
       result = []
 
+      start_time = Time.now
+
       if target.fqdn?
         if target.resolve_fqdn_as_ipv6.nil?
           client = SSHScan::Client.new(target.resolve_fqdn_as_ipv4.to_s, port, timeout)
@@ -63,21 +66,12 @@ module SSHScan
           raise e
         end
       else
-        #only supporting RSA for the moment
-        if host_key.is_a?(OpenSSL::PKey::RSA)
-          data_string = OpenSSL::ASN1::Sequence([
-           OpenSSL::ASN1::Integer.new(host_key.public_key.n),
-           OpenSSL::ASN1::Integer.new(host_key.public_key.e)
-          ])
-
-          fingerprint_md5 = OpenSSL::Digest::MD5.hexdigest(data_string.to_der).scan(/../).join(':')
-          fingerprint_sha1 = OpenSSL::Digest::SHA1.hexdigest(data_string.to_der).scan(/../).join(':')
-          fingerprint_sha256 = OpenSSL::Digest::SHA256.hexdigest(data_string.to_der).scan(/../).join(':')
-
+        pkey = SSHScan::Crypto::PublicKey.new(host_key)
+        if pkey.is_supported?
           result['fingerprints'] = {
-           "md5" => fingerprint_md5,
-           "sha1" => fingerprint_sha1,
-           "sha256" => fingerprint_sha256,
+            "md5" => pkey.fingerprint_md5,
+            "sha1" => pkey.fingerprint_sha1,
+            "sha256" => pkey.fingerprint_sha256,
           }
         end
       end
@@ -98,6 +92,13 @@ module SSHScan
         result['compliance'] = policy_mgr.compliance_results
       end
 
+      # Add scan times
+      end_time = Time.now
+
+      result['start_time'] = start_time.to_s
+      result['end_time'] = end_time.to_s
+      result['scan_duration_seconds'] = end_time - start_time
+
       return result
     end
 

data/lib/ssh_scan/version.rb

@@ -1,3 +1,3 @@
 module SSHScan
-  VERSION = '0.0.13'
+  VERSION = '0.0.14'
 end

data/policies/mozilla_intermediate.yml

@@ -1,5 +1,6 @@
 ---
 name: Mozilla Intermediate
+ssh_version: 2.0
 auth_methods:
 - publickey
 kex:

data/policies/mozilla_modern.yml

@@ -1,5 +1,6 @@
 ---
 name: Mozilla Modern
+ssh_version: 2.0
 auth_methods:
 - publickey
 kex:

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ssh_scan
 version: !ruby/object:Gem::Version
-  version: 0.0.13
+  version: 0.0.14
 platform: ruby
 authors:
 - Jonathan Claudius
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-07 00:00:00.000000000 Z
+date: 2016-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -128,6 +128,7 @@ files:
 - lib/ssh_scan/banner.rb
 - lib/ssh_scan/client.rb
 - lib/ssh_scan/constants.rb
+- lib/ssh_scan/crypto.rb
 - lib/ssh_scan/error.rb
 - lib/ssh_scan/error/closed_connection.rb
 - lib/ssh_scan/error/connect_timeout.rb