ssh_scan 0.0.13 → 0.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 33f1febf216b8836861940688f4da101debe78cc
4
- data.tar.gz: 2b0661596cfd440cbb46c7abac8b3de76443b906
3
+ metadata.gz: 3d541b6a665e8adbd86013e68cea159cb42a514b
4
+ data.tar.gz: cbbb3ba9b9e169091ca8db560ccfb06780781f39
5
5
  SHA512:
6
- metadata.gz: ddd8614a94d51f8e0f77c1c82fff0a480634de65a35f6fb30b1969282c81f1b9c035649e47d66f717421f34c6257364cbb77327cbe8495cbd27ea65dd9fa74ea
7
- data.tar.gz: 4cffdf417580c5e11dc7b7e6b7ad17e6014c0cc31f02728728e9f317ecec0d295cb7f46f1045b4fac0b5c0c38a59062f0e441bbbf851a1c88c39be9f18eb3ade
6
+ metadata.gz: 70218de598e768b46841299ebe891980ece0080792d2eac5fcf8d879e13c15c841a817bbf148968cf6ec2117d232c80c7f676eada7b1d812014109bfe5b31c34
7
+ data.tar.gz: e1fe1bdb16ea13623741607d54e3102af8a4e26c0b94adaebbbc90736c5587a3b2b427057e866cf73e3a66ec7cb58c52a67f6f9ec39a196f6e3cd0bb3c35bb95
@@ -28,6 +28,9 @@ module SSHScan
28
28
  rescue Errno::ENETUNREACH => e
29
29
  @error = SSHScan::Error::ConnectionRefused.new(e.message)
30
30
  @sock = nil
31
+ rescue Errno::ECONNRESET => e
32
+ @error = SSHScan::Error::ConnectionRefused.new(e.message)
33
+ @sock = nil
31
34
  rescue Errno::EACCES => e
32
35
  @error = SSHScan::Error::ConnectionRefused.new(e.message)
33
36
  @sock = nil
@@ -61,7 +64,7 @@ module SSHScan
61
64
  end
62
65
 
63
66
  # Assemble and print results
64
- result[:server_banner] = @server_banner
67
+ result[:server_banner] = @server_banner.to_s
65
68
  result[:ssh_version] = @server_banner.ssh_version
66
69
  result[:os] = @server_banner.os_guess.common
67
70
  result[:os_cpe] = @server_banner.os_guess.cpe
@@ -76,7 +79,7 @@ module SSHScan
76
79
  @sock = nil
77
80
  return result
78
81
  end
79
-
82
+
80
83
  resp += @sock.read(resp.unpack("N").first)
81
84
  @sock.close
82
85
 
@@ -0,0 +1,38 @@
1
+ require 'openssl'
2
+
3
+ module SSHScan
4
+ module Crypto
5
+ class PublicKey
6
+ def initialize(key)
7
+ @key = key
8
+ @supported = check_supported
9
+ if @key.is_a?(OpenSSL::PKey::RSA)
10
+ @data_string = OpenSSL::ASN1::Sequence([
11
+ OpenSSL::ASN1::Integer.new(@key.public_key.n),
12
+ OpenSSL::ASN1::Integer.new(@key.public_key.e)
13
+ ])
14
+ end
15
+ end
16
+
17
+ def check_supported
18
+ @key and @key.is_a?(OpenSSL::PKey::RSA)
19
+ end
20
+
21
+ def is_supported?
22
+ @supported
23
+ end
24
+
25
+ def fingerprint_md5
26
+ OpenSSL::Digest::MD5.hexdigest(@data_string.to_der).scan(/../).join(':')
27
+ end
28
+
29
+ def fingerprint_sha1
30
+ OpenSSL::Digest::SHA1.hexdigest(@data_string.to_der).scan(/../).join(':')
31
+ end
32
+
33
+ def fingerprint_sha256
34
+ OpenSSL::Digest::SHA256.hexdigest(@data_string.to_der).scan(/../).join(':')
35
+ end
36
+ end
37
+ end
38
+ end
@@ -2,7 +2,7 @@ require 'yaml'
2
2
 
3
3
  module SSHScan
4
4
  class Policy
5
- attr_reader :name, :kex, :macs, :encryption, :compression, :references, :auth_methods
5
+ attr_reader :name, :kex, :macs, :encryption, :compression, :references, :auth_methods, :ssh_version
6
6
 
7
7
  def initialize(opts = {})
8
8
  @name = opts['name'] || []
@@ -12,6 +12,7 @@ module SSHScan
12
12
  @compression = opts['compression'] || []
13
13
  @references = opts['references'] || []
14
14
  @auth_methods = opts['auth_methods'] || []
15
+ @ssh_version = opts['ssh_version'] || false
15
16
  end
16
17
 
17
18
  def self.from_file(file)
@@ -104,6 +104,16 @@ module SSHScan
104
104
  return outliers
105
105
  end
106
106
 
107
+ def out_of_policy_ssh_version
108
+ target_ssh_version = @result[:ssh_version]
109
+ if @policy.ssh_version
110
+ if target_ssh_version < @policy.ssh_version
111
+ return true
112
+ end
113
+ end
114
+ return false
115
+ end
116
+
107
117
  def compliant?
108
118
  out_of_policy_encryption.empty? &&
109
119
  out_of_policy_macs.empty? &&
@@ -113,7 +123,8 @@ module SSHScan
113
123
  missing_policy_macs.empty? &&
114
124
  missing_policy_kex.empty? &&
115
125
  missing_policy_compression.empty? &&
116
- out_of_policy_auth_methods.empty?
126
+ out_of_policy_auth_methods.empty? &&
127
+ out_of_policy_ssh_version
117
128
  end
118
129
 
119
130
  def recommendations
@@ -131,6 +142,10 @@ module SSHScan
131
142
  recommendations << "Remove these Encryption Ciphers: #{out_of_policy_encryption.join(", ")}" unless out_of_policy_encryption.empty?
132
143
  recommendations << "Remove these Compression Algos: #{out_of_policy_compression.join(", ")}" unless out_of_policy_compression.empty?
133
144
  recommendations << "Remove these Authentication Methods: #{out_of_policy_auth_methods.join(", ")}" unless out_of_policy_auth_methods.empty?
145
+
146
+ # Update these items to be compliant
147
+ recommendations << "Update your ssh version to: #{@policy.ssh_version}" if out_of_policy_ssh_version
148
+
134
149
  return recommendations
135
150
  end
136
151
 
@@ -1,5 +1,6 @@
1
1
  require 'socket'
2
2
  require 'ssh_scan/client'
3
+ require 'ssh_scan/crypto'
3
4
  require 'net/ssh'
4
5
 
5
6
  module SSHScan
@@ -14,6 +15,8 @@ module SSHScan
14
15
  timeout = opts[:timeout]
15
16
  result = []
16
17
 
18
+ start_time = Time.now
19
+
17
20
  if target.fqdn?
18
21
  if target.resolve_fqdn_as_ipv6.nil?
19
22
  client = SSHScan::Client.new(target.resolve_fqdn_as_ipv4.to_s, port, timeout)
@@ -63,21 +66,12 @@ module SSHScan
63
66
  raise e
64
67
  end
65
68
  else
66
- #only supporting RSA for the moment
67
- if host_key.is_a?(OpenSSL::PKey::RSA)
68
- data_string = OpenSSL::ASN1::Sequence([
69
- OpenSSL::ASN1::Integer.new(host_key.public_key.n),
70
- OpenSSL::ASN1::Integer.new(host_key.public_key.e)
71
- ])
72
-
73
- fingerprint_md5 = OpenSSL::Digest::MD5.hexdigest(data_string.to_der).scan(/../).join(':')
74
- fingerprint_sha1 = OpenSSL::Digest::SHA1.hexdigest(data_string.to_der).scan(/../).join(':')
75
- fingerprint_sha256 = OpenSSL::Digest::SHA256.hexdigest(data_string.to_der).scan(/../).join(':')
76
-
69
+ pkey = SSHScan::Crypto::PublicKey.new(host_key)
70
+ if pkey.is_supported?
77
71
  result['fingerprints'] = {
78
- "md5" => fingerprint_md5,
79
- "sha1" => fingerprint_sha1,
80
- "sha256" => fingerprint_sha256,
72
+ "md5" => pkey.fingerprint_md5,
73
+ "sha1" => pkey.fingerprint_sha1,
74
+ "sha256" => pkey.fingerprint_sha256,
81
75
  }
82
76
  end
83
77
  end
@@ -98,6 +92,13 @@ module SSHScan
98
92
  result['compliance'] = policy_mgr.compliance_results
99
93
  end
100
94
 
95
+ # Add scan times
96
+ end_time = Time.now
97
+
98
+ result['start_time'] = start_time.to_s
99
+ result['end_time'] = end_time.to_s
100
+ result['scan_duration_seconds'] = end_time - start_time
101
+
101
102
  return result
102
103
  end
103
104
 
@@ -1,3 +1,3 @@
1
1
  module SSHScan
2
- VERSION = '0.0.13'
2
+ VERSION = '0.0.14'
3
3
  end
@@ -1,5 +1,6 @@
1
1
  ---
2
2
  name: Mozilla Intermediate
3
+ ssh_version: 2.0
3
4
  auth_methods:
4
5
  - publickey
5
6
  kex:
@@ -1,5 +1,6 @@
1
1
  ---
2
2
  name: Mozilla Modern
3
+ ssh_version: 2.0
3
4
  auth_methods:
4
5
  - publickey
5
6
  kex:
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ssh_scan
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.13
4
+ version: 0.0.14
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonathan Claudius
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-09-07 00:00:00.000000000 Z
12
+ date: 2016-09-16 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bindata
@@ -128,6 +128,7 @@ files:
128
128
  - lib/ssh_scan/banner.rb
129
129
  - lib/ssh_scan/client.rb
130
130
  - lib/ssh_scan/constants.rb
131
+ - lib/ssh_scan/crypto.rb
131
132
  - lib/ssh_scan/error.rb
132
133
  - lib/ssh_scan/error/closed_connection.rb
133
134
  - lib/ssh_scan/error/connect_timeout.rb