ssh_scan 0.0.16 → 0.0.17.pre
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +15 -1
- data/.travis.yml +2 -0
- data/Gemfile +1 -0
- data/README.md +35 -33
- data/Rakefile +40 -16
- data/bin/ssh_scan +91 -53
- data/bin/ssh_scan_worker +14 -0
- data/lib/ssh_scan.rb +0 -1
- data/lib/ssh_scan/client.rb +10 -4
- data/lib/ssh_scan/constants.rb +67 -18
- data/lib/ssh_scan/crypto.rb +3 -18
- data/lib/ssh_scan/error/closed_connection.rb +1 -1
- data/lib/ssh_scan/error/connect_timeout.rb +1 -1
- data/lib/ssh_scan/error/connection_refused.rb +1 -1
- data/lib/ssh_scan/error/disconnected.rb +1 -1
- data/lib/ssh_scan/error/no_banner.rb +1 -1
- data/lib/ssh_scan/error/no_kex_response.rb +1 -1
- data/lib/ssh_scan/os/raspbian.rb +2 -4
- data/lib/ssh_scan/os/ubuntu.rb +103 -58
- data/lib/ssh_scan/policy.rb +2 -1
- data/lib/ssh_scan/policy_manager.rb +67 -18
- data/lib/ssh_scan/protocol.rb +53 -21
- data/lib/ssh_scan/scan_engine.rb +78 -44
- data/lib/ssh_scan/ssh_lib/dropbear.rb +2 -4
- data/lib/ssh_scan/target_parser.rb +3 -3
- data/lib/ssh_scan/update.rb +3 -3
- data/lib/ssh_scan/version.rb +1 -2
- data/lib/ssh_scan/worker.rb +119 -0
- data/lib/string_ext.rb +2 -1
- data/ssh_scan.gemspec +4 -8
- metadata +28 -96
- data/bin/ssh_scan_api +0 -36
- data/lib/ssh_scan/api.rb +0 -124
- data/lib/ssh_scan/fingerprint_database.rb +0 -39
- data/policies/mozilla_intermediate.yml +0 -19
- data/policies/mozilla_modern.yml +0 -30
data/lib/ssh_scan/api.rb
DELETED
@@ -1,124 +0,0 @@
|
|
1
|
-
require 'sinatra/base'
|
2
|
-
require 'sinatra/namespace'
|
3
|
-
require 'ssh_scan/version'
|
4
|
-
require 'ssh_scan/policy'
|
5
|
-
require 'ssh_scan/scan_engine'
|
6
|
-
require 'json'
|
7
|
-
require 'haml'
|
8
|
-
require 'secure_headers'
|
9
|
-
|
10
|
-
module SSHScan
|
11
|
-
class API < Sinatra::Base
|
12
|
-
use SecureHeaders::Middleware
|
13
|
-
|
14
|
-
SecureHeaders::Configuration.default do |config|
|
15
|
-
config.cookies = {
|
16
|
-
secure: true, # mark all cookies as "Secure"
|
17
|
-
httponly: true, # mark all cookies as "HttpOnly"
|
18
|
-
}
|
19
|
-
config.hsts = "max-age=31536000; includeSubdomains; preload"
|
20
|
-
config.x_frame_options = "DENY"
|
21
|
-
config.x_content_type_options = "nosniff"
|
22
|
-
config.x_xss_protection = "1; mode=block"
|
23
|
-
config.x_download_options = "noopen"
|
24
|
-
config.x_permitted_cross_domain_policies = "none"
|
25
|
-
config.referrer_policy = "origin-when-cross-origin"
|
26
|
-
config.csp = {
|
27
|
-
default_src: %w('none'),
|
28
|
-
frame_ancestors: %w('none'),
|
29
|
-
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
30
|
-
}
|
31
|
-
end
|
32
|
-
|
33
|
-
class NullLogger < Logger
|
34
|
-
def initialize(*args)
|
35
|
-
end
|
36
|
-
|
37
|
-
def add(*args, &block)
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
register Sinatra::Namespace
|
42
|
-
|
43
|
-
before do
|
44
|
-
headers "Server" => "ssh_scan_api"
|
45
|
-
end
|
46
|
-
|
47
|
-
# Custom 404 handling
|
48
|
-
not_found do
|
49
|
-
content_type "text/plain"
|
50
|
-
'Invalid request, see API documentation here: https://github.com/mozilla/ssh_scan/wiki/ssh_scan-Web-API'
|
51
|
-
end
|
52
|
-
|
53
|
-
get '/robots.txt' do
|
54
|
-
content_type "text/plain"
|
55
|
-
"User-agent: *\nDisallow: /\n"
|
56
|
-
end
|
57
|
-
|
58
|
-
get '/contribute.json' do
|
59
|
-
content_type :json
|
60
|
-
{
|
61
|
-
:name => "ssh_scan api",
|
62
|
-
:description => "An api for performing ssh compliance and policy scanning",
|
63
|
-
:repository => {
|
64
|
-
:url => "https://github.com/mozilla/ssh_scan",
|
65
|
-
:tests => "https://travis-ci.org/mozilla/ssh_scan",
|
66
|
-
},
|
67
|
-
:participate => {
|
68
|
-
:home => "https://github.com/mozilla/ssh_scan",
|
69
|
-
:docs => "https://github.com/mozilla/ssh_scan",
|
70
|
-
:irc => "irc://irc.mozilla.org/#infosec",
|
71
|
-
:irc_contacts => [
|
72
|
-
"claudijd",
|
73
|
-
"pwnbus",
|
74
|
-
"kang",
|
75
|
-
],
|
76
|
-
:glitter => "https://gitter.im/mozilla-ssh_scan/Lobby",
|
77
|
-
:glitter_contacts => [
|
78
|
-
"claudijd",
|
79
|
-
"pwnbus",
|
80
|
-
"kang",
|
81
|
-
"jinankjain",
|
82
|
-
"agaurav77"
|
83
|
-
],
|
84
|
-
},
|
85
|
-
:bugs => {
|
86
|
-
:list => "https://github.com/mozilla/ssh_scan/issues",
|
87
|
-
},
|
88
|
-
:keywords => [
|
89
|
-
"ruby",
|
90
|
-
"sinatra",
|
91
|
-
],
|
92
|
-
}.to_json
|
93
|
-
end
|
94
|
-
|
95
|
-
|
96
|
-
namespace "/api/v#{SSHScan::API_VERSION}" do
|
97
|
-
before do
|
98
|
-
content_type :json
|
99
|
-
end
|
100
|
-
|
101
|
-
post '/scan' do
|
102
|
-
options = {
|
103
|
-
:sockets => [],
|
104
|
-
:policy => File.expand_path("../../../policies/mozilla_modern.yml", __FILE__),
|
105
|
-
:timeout => 2,
|
106
|
-
:verbosity => nil,
|
107
|
-
:logger => NullLogger.new,
|
108
|
-
:fingerprint_database => "fingerprints.db",
|
109
|
-
}
|
110
|
-
options[:sockets] << "#{params[:target]}:#{params[:port] ? params[:port] : "22"}"
|
111
|
-
options[:policy_file] = SSHScan::Policy.from_file(options[:policy])
|
112
|
-
scan_engine = SSHScan::ScanEngine.new()
|
113
|
-
scan_engine.scan(options).to_json
|
114
|
-
end
|
115
|
-
|
116
|
-
get '/__version__' do
|
117
|
-
{
|
118
|
-
:ssh_scan_version => SSHScan::VERSION,
|
119
|
-
:api_version => SSHScan::API_VERSION,
|
120
|
-
}.to_json
|
121
|
-
end
|
122
|
-
end
|
123
|
-
end
|
124
|
-
end
|
@@ -1,39 +0,0 @@
|
|
1
|
-
require 'sqlite3'
|
2
|
-
|
3
|
-
module SSHScan
|
4
|
-
class FingerprintDatabase
|
5
|
-
def initialize(database_name)
|
6
|
-
if File.exists?(database_name)
|
7
|
-
@db = ::SQLite3::Database.open(database_name)
|
8
|
-
else
|
9
|
-
@db = ::SQLite3::Database.new(database_name)
|
10
|
-
self.create_schema
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
|
-
def create_schema
|
15
|
-
@db.execute <<-SQL
|
16
|
-
create table fingerprints (
|
17
|
-
fingerprint varchar(100),
|
18
|
-
ip varchar(100)
|
19
|
-
);
|
20
|
-
SQL
|
21
|
-
end
|
22
|
-
|
23
|
-
def clear_fingerprints(ip)
|
24
|
-
@db.execute "delete from fingerprints where ip like ( ? )", [ip]
|
25
|
-
end
|
26
|
-
|
27
|
-
def add_fingerprint(fingerprint, ip)
|
28
|
-
@db.execute "insert into fingerprints values ( ?, ? )", [fingerprint, ip]
|
29
|
-
end
|
30
|
-
|
31
|
-
def find_fingerprints(fingerprint)
|
32
|
-
ips = []
|
33
|
-
@db.execute( "select * from fingerprints where fingerprint like ( ? )", [fingerprint] ) do |row|
|
34
|
-
ips << row[1]
|
35
|
-
end
|
36
|
-
return ips
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
---
|
2
|
-
name: Mozilla Intermediate
|
3
|
-
ssh_version: 2.0
|
4
|
-
auth_methods:
|
5
|
-
- publickey
|
6
|
-
kex:
|
7
|
-
- diffie-hellman-group-exchange-sha256
|
8
|
-
encryption:
|
9
|
-
- aes256-ctr
|
10
|
-
- aes192-ctr
|
11
|
-
- aes128-ctr
|
12
|
-
macs:
|
13
|
-
- hmac-sha2-512
|
14
|
-
- hmac-sha2-256
|
15
|
-
compression:
|
16
|
-
- none
|
17
|
-
- zlib@openssh.com
|
18
|
-
references:
|
19
|
-
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
data/policies/mozilla_modern.yml
DELETED
@@ -1,30 +0,0 @@
|
|
1
|
-
---
|
2
|
-
name: Mozilla Modern
|
3
|
-
ssh_version: 2.0
|
4
|
-
auth_methods:
|
5
|
-
- publickey
|
6
|
-
kex:
|
7
|
-
- curve25519-sha256@libssh.org
|
8
|
-
- ecdh-sha2-nistp521
|
9
|
-
- ecdh-sha2-nistp384
|
10
|
-
- ecdh-sha2-nistp256
|
11
|
-
- diffie-hellman-group-exchange-sha256
|
12
|
-
encryption:
|
13
|
-
- chacha20-poly1305@openssh.com
|
14
|
-
- aes256-gcm@openssh.com
|
15
|
-
- aes128-gcm@openssh.com
|
16
|
-
- aes256-ctr
|
17
|
-
- aes192-ctr
|
18
|
-
- aes128-ctr
|
19
|
-
macs:
|
20
|
-
- hmac-sha2-512-etm@openssh.com
|
21
|
-
- hmac-sha2-256-etm@openssh.com
|
22
|
-
- umac-128-etm@openssh.com
|
23
|
-
- hmac-sha2-512
|
24
|
-
- hmac-sha2-256
|
25
|
-
- umac-128@openssh.com
|
26
|
-
compression:
|
27
|
-
- none
|
28
|
-
- zlib@openssh.com
|
29
|
-
references:
|
30
|
-
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|