ssh_scan 0.0.16 → 0.0.17.pre

data/lib/ssh_scan/policy.rb

@@ -2,7 +2,8 @@ require 'yaml'
 
 module SSHScan
   class Policy
-    attr_reader :name, :kex, :macs, :encryption, :compression, :references, :auth_methods, :ssh_version
+    attr_reader :name, :kex, :macs, :encryption, :compression,
+                :references, :auth_methods, :ssh_version
 
     def initialize(opts = {})
       @name = opts['name'] || []

data/lib/ssh_scan/policy_manager.rb

@@ -6,7 +6,9 @@ module SSHScan
     end
 
     def out_of_policy_encryption
-      target_encryption = @result[:encryption_algorithms_client_to_server] | @result[:encryption_algorithms_server_to_client]
+      target_encryption =
+        @result[:encryption_algorithms_client_to_server] |
+        @result[:encryption_algorithms_server_to_client]
       outliers = []
       target_encryption.each do |target_enc|
         outliers << target_enc unless @policy.encryption.include?(target_enc)
@@ -15,7 +17,9 @@ module SSHScan
     end
 
     def missing_policy_encryption
-      target_encryption = @result[:encryption_algorithms_client_to_server] | @result[:encryption_algorithms_server_to_client]
+      target_encryption =
+        @result[:encryption_algorithms_client_to_server] |
+        @result[:encryption_algorithms_server_to_client]
       outliers = []
       @policy.encryption.each do |encryption|
         if target_encryption.include?(encryption) == false
@@ -26,7 +30,9 @@ module SSHScan
     end
 
     def out_of_policy_macs
-      target_macs = @result[:mac_algorithms_server_to_client] | @result[:mac_algorithms_client_to_server]
+      target_macs =
+        @result[:mac_algorithms_server_to_client] |
+        @result[:mac_algorithms_client_to_server]
       outliers = []
       target_macs.each do |target_mac|
         outliers << target_mac unless @policy.macs.include?(target_mac)
@@ -35,7 +41,9 @@ module SSHScan
     end
 
     def missing_policy_macs
-      target_macs = @result[:mac_algorithms_server_to_client] | @result[:mac_algorithms_client_to_server]
+      target_macs =
+        @result[:mac_algorithms_server_to_client] |
+        @result[:mac_algorithms_client_to_server]
       outliers = []
 
       @policy.macs.each do |mac|
@@ -68,16 +76,21 @@ module SSHScan
     end
 
     def out_of_policy_compression
-      target_compressions = @result[:compression_algorithms_server_to_client] | @result[:compression_algorithms_client_to_server]
+      target_compressions =
+        @result[:compression_algorithms_server_to_client] |
+        @result[:compression_algorithms_client_to_server]
       outliers = []
       target_compressions.each do |target_compression|
-        outliers << target_compression unless @policy.compression.include?(target_compression)
+        outliers << target_compression unless
+          @policy.compression.include?(target_compression)
       end
       return outliers
     end
 
     def missing_policy_compression
-      target_compressions = @result[:compression_algorithms_server_to_client] | @result[:compression_algorithms_client_to_server]
+      target_compressions =
+        @result[:compression_algorithms_server_to_client] |
+        @result[:compression_algorithms_client_to_server]
       outliers = []
 
       @policy.compression.each do |compression|
@@ -124,27 +137,63 @@ module SSHScan
       missing_policy_kex.empty? &&
       missing_policy_compression.empty? &&
       out_of_policy_auth_methods.empty? &&
-      out_of_policy_ssh_version
+      !out_of_policy_ssh_version
     end
 
     def recommendations
       recommendations = []
 
       # Add these items to be compliant
-      recommendations << "Add these Key Exchange Algos: #{missing_policy_kex.join(",")}" unless missing_policy_kex.empty?
-      recommendations << "Add these MAC Algos: #{missing_policy_macs.join(",")}" unless missing_policy_macs.empty?
-      recommendations << "Add these Encryption Ciphers: #{missing_policy_encryption.join(",")}" unless missing_policy_encryption.empty?
-      recommendations << "Add these Compression Algos: #{missing_policy_compression.join(",")}" unless missing_policy_compression.empty?
+      if missing_policy_kex.any?
+        recommendations << "Add these Key Exchange Algos: \
+#{missing_policy_kex.join(",")}"
+      end
+
+      if missing_policy_macs.any?
+        recommendations << "Add these MAC Algos: \
+#{missing_policy_macs.join(",")}"
+      end
+
+      if missing_policy_encryption.any?
+        recommendations << "Add these Encryption Ciphers: \
+#{missing_policy_encryption.join(",")}"
+      end
+
+      if missing_policy_compression.any?
+        recommendations << "Add these Compression Algos: \
+#{missing_policy_compression.join(",")}"
+      end
 
       # Remove these items to be compliant
-      recommendations << "Remove these Key Exchange Algos: #{out_of_policy_kex.join(", ")}" unless out_of_policy_kex.empty?
-      recommendations << "Remove these MAC Algos: #{out_of_policy_macs.join(", ")}" unless out_of_policy_macs.empty?
-      recommendations << "Remove these Encryption Ciphers: #{out_of_policy_encryption.join(", ")}" unless out_of_policy_encryption.empty?
-      recommendations << "Remove these Compression Algos: #{out_of_policy_compression.join(", ")}" unless out_of_policy_compression.empty?
-      recommendations << "Remove these Authentication Methods: #{out_of_policy_auth_methods.join(", ")}" unless out_of_policy_auth_methods.empty?
+      if out_of_policy_kex.any?
+        recommendations << "Remove these Key Exchange Algos: \
+#{out_of_policy_kex.join(", ")}"
+      end
+
+      if out_of_policy_macs.any?
+        recommendations << "Remove these MAC Algos: \
+#{out_of_policy_macs.join(", ")}"
+      end
+
+      if out_of_policy_encryption.any?
+        recommendations << "Remove these Encryption Ciphers: \
+#{out_of_policy_encryption.join(", ")}"
+      end
+
+      if out_of_policy_compression.any?
+        recommendations << "Remove these Compression Algos: \
+#{out_of_policy_compression.join(", ")}"
+      end
+
+      if out_of_policy_auth_methods.any?
+        recommendations << "Remove these Authentication Methods: \
+#{out_of_policy_auth_methods.join(", ")}"
+      end
 
       # Update these items to be compliant
-      recommendations << "Update your ssh version to: #{@policy.ssh_version}" if out_of_policy_ssh_version
+      if out_of_policy_ssh_version
+        recommendations << "Update your ssh version to: #{@policy.ssh_version}"
+      end
 
       return recommendations
     end

data/lib/ssh_scan/protocol.rb

@@ -11,28 +11,50 @@ module SSHScan
     uint8 :message_code, :initial_value => 20
     string :cookie_string, :length => 16
     uint32 :kex_algorithms_length
-    string :key_algorithms_string, :length => lambda { self.kex_algorithms_length }
+    string :key_algorithms_string, :length => lambda {
+      self.kex_algorithms_length
+    }
     uint32 :server_host_key_algorithms_length
-    string :server_host_key_algorithms_string, :length => lambda { self.server_host_key_algorithms_length }
+    string :server_host_key_algorithms_string, :length => lambda {
+      self.server_host_key_algorithms_length
+    }
     uint32 :encryption_algorithms_client_to_server_length
-    string :encryption_algorithms_client_to_server_string, :length => lambda { self.encryption_algorithms_client_to_server_length }
+    string :encryption_algorithms_client_to_server_string, :length => lambda {
+      self.encryption_algorithms_client_to_server_length
+    }
     uint32 :encryption_algorithms_server_to_client_length
-    string :encryption_algorithms_server_to_client_string, :length => lambda { self.encryption_algorithms_server_to_client_length }
+    string :encryption_algorithms_server_to_client_string, :length => lambda {
+      self.encryption_algorithms_server_to_client_length
+    }
     uint32 :mac_algorithms_client_to_server_length
-    string :mac_algorithms_client_to_server_string, :length => lambda { self.mac_algorithms_client_to_server_length }
+    string :mac_algorithms_client_to_server_string, :length => lambda {
+      self.mac_algorithms_client_to_server_length
+    }
     uint32 :mac_algorithms_server_to_client_length
-    string :mac_algorithms_server_to_client_string, :length => lambda { self.mac_algorithms_server_to_client_length }
+    string :mac_algorithms_server_to_client_string, :length => lambda {
+      self.mac_algorithms_server_to_client_length
+    }
     uint32 :compression_algorithms_client_to_server_length
-    string :compression_algorithms_client_to_server_string, :length => lambda { self.compression_algorithms_client_to_server_length }
+    string :compression_algorithms_client_to_server_string, :length => lambda {
+      self.compression_algorithms_client_to_server_length
+    }
     uint32 :compression_algorithms_server_to_client_length
-    string :compression_algorithms_server_to_client_string, :length => lambda { self.compression_algorithms_server_to_client_length }
+    string :compression_algorithms_server_to_client_string, :length => lambda {
+      self.compression_algorithms_server_to_client_length
+    }
     uint32 :languages_client_to_server_length
-    string :languages_client_to_server_string, :length => lambda { self.languages_client_to_server_length }
+    string :languages_client_to_server_string, :length => lambda {
+      self.languages_client_to_server_length
+    }
     uint32 :languages_server_to_client_length
-    string :languages_server_to_client_string, :length => lambda { self.languages_server_to_client_length }
+    string :languages_server_to_client_string, :length => lambda {
+      self.languages_server_to_client_length
+    }
     uint8 :kex_first_packet_follows
     uint32 :reserved
-    string :padding_string, :read_length => lambda { self.padding_length }
+    string :padding_string, :read_length => lambda {
+      self.padding_length
+    }
 
     def cookie
       self.cookie_string
@@ -183,12 +205,16 @@ module SSHScan
         :cookie => self.cookie.hexify,
         :key_algorithms => key_algorithms,
         :server_host_key_algorithms => server_host_key_algorithms,
-        :encryption_algorithms_client_to_server => encryption_algorithms_client_to_server,
-        :encryption_algorithms_server_to_client => encryption_algorithms_server_to_client,
+        :encryption_algorithms_client_to_server =>
+          encryption_algorithms_client_to_server,
+        :encryption_algorithms_server_to_client =>
+          encryption_algorithms_server_to_client,
         :mac_algorithms_client_to_server => mac_algorithms_client_to_server,
         :mac_algorithms_server_to_client => mac_algorithms_server_to_client,
-        :compression_algorithms_client_to_server => compression_algorithms_client_to_server,
-        :compression_algorithms_server_to_client => compression_algorithms_server_to_client,
+        :compression_algorithms_client_to_server =>
+          compression_algorithms_client_to_server,
+        :compression_algorithms_server_to_client =>
+          compression_algorithms_server_to_client,
         :languages_client_to_server => languages_client_to_server,
         :languages_server_to_client => languages_server_to_client,
       }
@@ -200,12 +226,18 @@ module SSHScan
       kex_init.padding = opts[:padding]
       kex_init.key_algorithms = opts[:key_algorithms]
       kex_init.server_host_key_algorithms = opts[:server_host_key_algorithms]
-      kex_init.encryption_algorithms_client_to_server = opts[:encryption_algorithms_client_to_server]
-      kex_init.encryption_algorithms_server_to_client = opts[:encryption_algorithms_server_to_client]
-      kex_init.mac_algorithms_client_to_server = opts[:mac_algorithms_client_to_server]
-      kex_init.mac_algorithms_server_to_client = opts[:mac_algorithms_server_to_client]
-      kex_init.compression_algorithms_client_to_server = opts[:compression_algorithms_client_to_server]
-      kex_init.compression_algorithms_server_to_client = opts[:compression_algorithms_server_to_client]
+      kex_init.encryption_algorithms_client_to_server =
+        opts[:encryption_algorithms_client_to_server]
+      kex_init.encryption_algorithms_server_to_client =
+        opts[:encryption_algorithms_server_to_client]
+      kex_init.mac_algorithms_client_to_server =
+        opts[:mac_algorithms_client_to_server]
+      kex_init.mac_algorithms_server_to_client =
+        opts[:mac_algorithms_server_to_client]
+      kex_init.compression_algorithms_client_to_server =
+        opts[:compression_algorithms_client_to_server]
+      kex_init.compression_algorithms_server_to_client =
+        opts[:compression_algorithms_server_to_client]
       kex_init.languages_client_to_server = opts[:languages_client_to_server]
       kex_init.languages_server_to_client = opts[:languages_server_to_client]
       return kex_init

data/lib/ssh_scan/scan_engine.rb

@@ -1,8 +1,9 @@
 require 'socket'
 require 'ssh_scan/client'
 require 'ssh_scan/crypto'
-require 'ssh_scan/fingerprint_database'
+#require 'ssh_scan/fingerprint_database'
 require 'net/ssh'
+require 'logger'
 
 module SSHScan
   class ScanEngine
@@ -12,24 +13,30 @@ module SSHScan
       if port.nil?
         port = 22
       end
-      timeout = opts[:timeout]
+      timeout = opts["timeout"]
       result = []
 
       start_time = Time.now
 
       if target.fqdn?
         if target.resolve_fqdn_as_ipv6.nil?
-          client = SSHScan::Client.new(target.resolve_fqdn_as_ipv4.to_s, port, timeout)
+          client = SSHScan::Client.new(
+            target.resolve_fqdn_as_ipv4.to_s, port, timeout
+          )
           client.connect()
           result = client.get_kex_result()
           result[:hostname] = target
           return result if result.include?(:error)
         else
-          client = SSHScan::Client.new(target.resolve_fqdn_as_ipv6.to_s, port, timeout)
+          client = SSHScan::Client.new(
+            target.resolve_fqdn_as_ipv6.to_s, port, timeout
+          )
           client.connect()
           result = client.get_kex_result()
           if result.include?(:error)
-            client = SSHScan::Client.new(target.resolve_fqdn_as_ipv4.to_s, port, timeout)
+            client = SSHScan::Client.new(
+              target.resolve_fqdn_as_ipv4.to_s, port, timeout
+            )
             client.connect()
             result = client.get_kex_result()
             result[:hostname] = target
@@ -53,10 +60,11 @@ module SSHScan
                             :paranoid => Net::SSH::Verifiers::Null.new
                           )
         raise SSHScan::Error::ClosedConnection.new if net_ssh_session.closed?
-        auth_session = Net::SSH::Authentication::Session.new(net_ssh_session, :auth_methods => ["none"])
+        auth_session = Net::SSH::Authentication::Session.new(
+          net_ssh_session, :auth_methods => ["none"]
+        )
         auth_session.authenticate("none", "test", "test")
         result['auth_methods'] = auth_session.allowed_auth_methods
-        host_key = net_ssh_session.host_keys.first
         net_ssh_session.close
       rescue Net::SSH::ConnectionTimeout => e
         result[:error] = e
@@ -71,13 +79,32 @@ module SSHScan
           raise e
         end
       else
-        pkey = SSHScan::Crypto::PublicKey.new(host_key)
-        if pkey.is_supported?
-          result['fingerprints'] = {
-            "md5" => pkey.fingerprint_md5,
-            "sha1" => pkey.fingerprint_sha1,
-            "sha256" => pkey.fingerprint_sha256,
-          }
+        result['fingerprints'] = {}
+        host_keys = `ssh-keyscan -t rsa,dsa #{target} 2>/dev/null`.split
+        host_keys_len = host_keys.length - 1
+
+        for i in 0..host_keys_len
+          if host_keys[i].eql? "ssh-dss"
+            pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
+            result['fingerprints'].merge!({
+              "dsa" => {
+                "md5" => pkey.fingerprint_md5,
+                "sha1" => pkey.fingerprint_sha1,
+                "sha256" => pkey.fingerprint_sha256,
+              }
+            })
+          end
+
+          if host_keys[i].eql? "ssh-rsa"
+            pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
+            result['fingerprints'].merge!({
+              "rsa" => {
+                "md5" => pkey.fingerprint_md5,
+                "sha1" => pkey.fingerprint_sha1,
+                "sha256" => pkey.fingerprint_sha256,
+              }
+            })
+          end
         end
       end
 
@@ -91,21 +118,20 @@ module SSHScan
     end
 
     def scan(opts)
-      sockets = opts[:sockets]
-      threads = opts[:threads] || 5
-      logger = opts[:logger]
+      sockets = opts["sockets"]
+      threads = opts["threads"] || 5
+      logger = opts["logger"] || Logger.new(STDOUT)
 
       results = []
 
       work_queue = Queue.new
+
       sockets.each {|x| work_queue.push x }
-      workers = (0...threads).map do |worker_num|
+      workers = (0...threads).map do
         Thread.new do
           begin
             while socket = work_queue.pop(true)
-              logger.info("Started ssh_scan of #{socket}")
               results << scan_target(socket, opts)
-              logger.info("Completed ssh_scan of #{socket}")
             end
           rescue ThreadError => e
             raise e unless e.to_s.match(/queue empty/)
@@ -115,35 +141,41 @@ module SSHScan
       workers.map(&:join)
 
       # Add all the fingerprints to our peristent FingerprintDatabase
-      fingerprint_db = SSHScan::FingerprintDatabase.new(opts[:fingerprint_database])
-      results.each do |result|
-        fingerprint_db.clear_fingerprints(result[:ip])
-        if result['fingerprints']
-          result['fingerprints'].values.each do |fingerprint|
-            fingerprint_db.add_fingerprint(fingerprint, result[:ip])
-          end
-        end
-      end
+      # fingerprint_db = SSHScan::FingerprintDatabase.new(
+      #   opts[:fingerprint_database]
+      # )
+      # results.each do |result|
+      #   fingerprint_db.clear_fingerprints(result[:ip])
+      #   if result['fingerprints']
+      #     result['fingerprints'].values.each do |host_key_algo|
+      #       host_key_algo.values.each do |fingerprint|
+      #         fingerprint_db.add_fingerprint(fingerprint, result[:ip])
+      #       end
+      #     end
+      #   end
+      # end
 
       # Decorate all the results with duplicate keys
-      results.each do |result|
-        if result['fingerprints']
-          ip = result[:ip]
-          result['duplicate_host_key_ips'] = []
-          result['fingerprints'].values.each do |fingerprint|
-            fingerprint_db.find_fingerprints(fingerprint).each do |other_ip|
-              next if ip == other_ip
-              result['duplicate_host_key_ips'] << other_ip
-            end
-          end
-          result['duplicate_host_key_ips'].uniq!        
-        end
-      end
+      # results.each do |result|
+      #   if result['fingerprints']
+      #     ip = result[:ip]
+      #     result['duplicate_host_key_ips'] = []
+      #     result['fingerprints'].values.each do |host_key_algo|
+      #       host_key_algo.values.each do |fingerprint|
+      #         fingerprint_db.find_fingerprints(fingerprint).each do |other_ip|
+      #           next if ip == other_ip
+      #           result['duplicate_host_key_ips'] << other_ip
+      #         end
+      #       end
+      #     end
+      #     result['duplicate_host_key_ips'].uniq!
+      #   end
+      # end
 
       # Decorate all the results with compliance information
       results.each do |result|
         # Do this only when we have all the information we need
-        if !opts[:policy_file].nil? &&
+        if !opts["policy"].nil? &&
            !result[:key_algorithms].nil? &&
            !result[:server_host_key_algorithms].nil? &&
            !result[:encryption_algorithms_client_to_server].nil? &&
@@ -154,7 +186,9 @@ module SSHScan
            !result[:compression_algorithms_server_to_client].nil? &&
            !result[:languages_client_to_server].nil? &&
            !result[:languages_server_to_client].nil?
-          policy_mgr = SSHScan::PolicyManager.new(result, opts[:policy_file])
+
+          policy = SSHScan::Policy.from_file(opts["policy"])
+          policy_mgr = SSHScan::PolicyManager.new(result, policy)
           result['compliance'] = policy_mgr.compliance_results
         end
       end