ssh_scan 0.0.38 → 0.0.43

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2256af6879617ca3c773dfe970eb2614923210c5e12c4a0e0195b07de6bd5dd6
-  data.tar.gz: 33e2317b550a08fd59baf2a6d8f6472cef671422552aca00453a612b72c12bae
+  metadata.gz: 035ffcd050babf1ef147195f6981a84a331e41d6929479a13383692b7148261f
+  data.tar.gz: 5354ffacae2dcf14ecc9a8ebe640baf96cf450ed08ad18dd0fb0bafe818131af
 SHA512:
-  metadata.gz: aa9c2bcc2ba4a8b959a2518e74dc55851d6e631f260de76d711acc350e32ecd8e10746ea8792661276d10d40e8651b9203cea533a8ec02e241a39f8577c225e4
-  data.tar.gz: 9319c177d2cf3eaca666f54c29367293ff525be8d9e6f04d17529b9488905529a01994a6c9ef4c37901a918b8aec72b0d3f2675458fc786ad0b7a8ceac0f8cd9
+  metadata.gz: 8a859e1d12f2c6479f15d8e34a2b71c6d040f6d7913ef7d661209ad902f73b901c2fb79f439656d68e43275b57db41e10a7f9d0aa939404e5978dc2067cde124
+  data.tar.gz: 596a3102e97a68d74ebe0d698eeaef1687229e896a44fd7152241b658d0f7a6b28c5a9dd1b94e31215b52ebf1ad3179b4a0a614f97cfde9b8f4f7b460c9cf714

data/CONTRIBUTING.md

@@ -27,9 +27,9 @@ inclusion, but sending a pull request is much more awesome.
 
 If you want your pull requests to be accepted, please follow the following guidelines:
 
-- [**Add tests!**](http://rspec.info/) Your patch won't be accepted (or will be delayed) if it doesn't have tests.
+- [**Add tests!**](https://rspec.info/) Your patch won't be accepted (or will be delayed) if it doesn't have tests.
 
-- [**Document any change in behaviour**](http://yardoc.org/) Make sure the README and any other
+- [**Document any change in behaviour**](https://yardoc.org/) Make sure the README and any other
   relevant documentation are kept up-to-date.
 
 - [**Create topic branches**](https://github.com/dchelimsky/rspec/wiki/Topic-Branches) Don't ask us to pull from your master branch.
@@ -37,7 +37,7 @@ If you want your pull requests to be accepted, please follow the following guide
 - [**One pull request per feature**](https://help.github.com/articles/using-pull-requests) If you want to do more than one thing, send
   multiple pull requests.
 
-- [**Send coherent history**](http://stackoverflow.com/questions/6934752/git-combining-multiple-commits-before-pushing) Make sure each individual commit in your pull
+- [**Send coherent history**](https://stackoverflow.com/questions/6934752/git-combining-multiple-commits-before-pushing) Make sure each individual commit in your pull
   request is meaningful. If you had to make multiple intermediate commits while
   developing, please squash them before sending them to us.
 

data/README.md

@@ -9,7 +9,7 @@ A SSH configuration and policy scanner
 
 ## Key Benefits
 
-- **Minimal Dependancies** - Uses native Ruby and BinData to do its work, no heavy dependancies.
+- **Minimal Dependencies** - Uses native Ruby and BinData to do its work, no heavy dependencies.
 - **Not Just a Script** - Implementation is portable for use in another project or for automation of tasks.
 - **Simple** - Just point `ssh_scan` at an SSH service and get a JSON report of what it supports and its policy status.
 - **Configurable** - Make your own custom policies that fit your unique policy requirements.
@@ -89,7 +89,7 @@ Examples:
 
 ## ssh_scan as a service/api?
 
-This project is soley for ssh_scan engine/command-line usage.
+This project is solely for ssh_scan engine/command-line usage.
 
 If you would like to run ssh_scan as a service, please refer to [the ssh_scan_api project](https://github.com/mozilla/ssh_scan_api)
 

data/bin/ssh_scan

@@ -20,7 +20,7 @@ options = {
   "verbosity" => nil,
   "logger" => Logger.new(STDERR),
   "fingerprint_database" => ENV['HOME']+'/.ssh_scan_fingerprints.yml',
-  "output_type" => "json"
+  "output_type" => nil
 }
 
 # Reorder arguments before parsing
@@ -106,7 +106,8 @@ scan") do |file|
 
   opts.on("-o", "--output [FilePath]",
           "File to write JSON output to") do |file|
-    $stdout.reopen(file, "w")
+    options["output"] = file
+    # $stdout.reopen(file, "w")
   end
 
   opts.on("--output-type [json, yaml]",
@@ -238,9 +239,23 @@ options["policy_file"] = SSHScan::Policy.from_file(options["policy"])
 scan_engine = SSHScan::ScanEngine.new()
 results = scan_engine.scan(options)
 
-if options["output_type"] == "yaml"
+if options["output_type"] == "yaml" && (options["output"].nil? || options["output"].empty?)
   puts YAML.dump(results)
-elsif options["output_type"] == "json"
+elsif options["output_type"] == "json" && (options["output"].nil? || options["output"].empty?)
+  puts JSON.pretty_generate(results)
+elsif (options["output_type"].nil? || options["output_type"].empty?) && (!options["output"].nil? && options["output"].split(".").last.downcase == "yml")
+  open(options["output"], 'w') do |f|
+    f.puts YAML.dump(results)
+  end
+elsif (options["output_type"].nil? || options["output_type"].empty?) && (!options["output"].nil? && options["output"].split(".").last.downcase == "json")
+  open(options["output"], 'w') do |f|
+    f.puts JSON.pretty_generate(results)
+  end
+elsif (options["output_type"].nil? || options["output_type"].empty?) && options["output"]
+  open(options["output"], 'w') do |f|
+    f.puts JSON.pretty_generate(results)
+  end
+else
   puts JSON.pretty_generate(results)
 end
 

data/config/policies/just_etm_macs.yaml

@@ -0,0 +1,24 @@
+---
+name: Mozilla Modern - with just ETM macs
+ssh_version: 2.0
+auth_methods:
+- publickey
+kex:
+- curve25519-sha256@libssh.org
+- ecdh-sha2-nistp521
+- ecdh-sha2-nistp384
+- ecdh-sha2-nistp256
+- diffie-hellman-group-exchange-sha256
+encryption:
+- chacha20-poly1305@openssh.com
+- aes256-gcm@openssh.com
+- aes128-gcm@openssh.com
+- aes256-ctr
+- aes192-ctr
+- aes128-ctr
+macs:
+- hmac-sha2-512-etm@openssh.com
+- hmac-sha2-256-etm@openssh.com
+- umac-128-etm@openssh.com
+references:
+- https://example.com/custom_policy

data/lib/ssh_scan/client.rb

@@ -70,6 +70,9 @@ module SSHScan
       rescue Errno::EHOSTUNREACH => e
         @error = SSHScan::Error::ConnectionRefused.new(e.message)
         @sock = nil
+      rescue Errno::ENOPROTOOPT => e
+        @error = SSHScan::Error::ConnectionRefused.new(e.message)
+        @sock = nil
       else
         if @raw_server_banner.nil?
           @error = SSHScan::Error::NoBanner.new(

data/lib/ssh_scan/public_key.rb

@@ -0,0 +1,64 @@
+require 'openssl'
+require 'sshkey'
+require 'base64'
+
+module SSHScan
+  # All cryptography related methods.
+  module Crypto
+    # House methods helpful in analysing SSH public keys.
+    class PublicKey
+      def initialize(key_string)
+        @key_string = key_string
+      end
+
+      def valid?
+        SSHKey.valid_ssh_public_key?(@key_string)
+      end
+
+      def type
+        if @key_string.start_with?("ssh-rsa")
+          return "rsa"
+        elsif @key_string.start_with?("ssh-dss")
+          return "dsa"
+        elsif @key_string.start_with?("ecdsa-sha2-nistp256")
+          return "ecdsa-sha2-nistp256"
+        elsif @key_string.start_with?("ssh-ed25519")
+          return "ed25519"
+        else
+          return "unknown"
+        end 
+      end
+
+      def length
+        SSHKey.ssh_public_key_bits(@key_string)
+      end
+
+      def fingerprint_md5
+        SSHKey.fingerprint(@key_string)
+      end
+
+      def fingerprint_sha1
+        SSHKey.sha1_fingerprint(@key_string)
+      end
+
+      def fingerprint_sha256
+        # We're translating this to hex because the SSHKEY default isn't as useful for comparing with SSHFP records
+        Base64.decode64(SSHKey.sha256_fingerprint(@key_string)).hexify(:delim => ":")
+      end
+
+      def to_hash
+        {
+          self.type => {
+            "raw" => @key_string,
+            "length" => self.length,
+            "fingerprints" => {
+              "md5" => self.fingerprint_md5,
+              "sha1" => self.fingerprint_sha1,
+              "sha256" => self.fingerprint_sha256
+            }
+          }
+        }
+      end
+    end
+  end
+end

data/lib/ssh_scan/result.rb

@@ -8,7 +8,7 @@ module SSHScan
   class Result
     def initialize()
       @version = SSHScan::VERSION
-      @fingerprints = nil
+      @keys = nil
       @duplicate_host_key_ips = Set.new()
       @compliance = {}
     end
@@ -157,12 +157,20 @@ module SSHScan
       @auth_methods = auth_methods
     end
 
-    def fingerprints=(fingerprints)
-      @fingerprints = fingerprints
+    def keys
+      @keys || {}
     end
 
-    def fingerprints
-      @fingerprints
+    def keys=(keys)
+      @keys = keys
+    end
+
+    def dns_keys
+      @dns_keys
+    end
+
+    def dns_keys=(dns_keys)
+      @dns_keys = dns_keys
     end
 
     def duplicate_host_key_ips=(duplicate_host_key_ips)
@@ -249,8 +257,9 @@ module SSHScan
       	"languages_client_to_server" => self.languages_client_to_server,
       	"languages_server_to_client" => self.languages_server_to_client,
       	"auth_methods" => self.auth_methods,
-        "fingerprints" => self.fingerprints,
-        "duplicate_host_key_ips" => self.duplicate_host_key_ips,
+        "keys" => self.keys,
+        "dns_keys" => self.dns_keys,
+        "duplicate_host_key_ips" => self.duplicate_host_key_ips.uniq,
       	"compliance" => @compliance,
         "start_time" => self.start_time,
         "end_time" => self.end_time,

data/lib/ssh_scan/scan_engine.rb

@@ -1,8 +1,9 @@
 require 'socket'
 require 'ssh_scan/client'
-require 'ssh_scan/crypto'
+require 'ssh_scan/public_key'
 require 'ssh_scan/fingerprint_database'
 require 'ssh_scan/subprocess'
+require 'ssh_scan/ssh_fp'
 require 'net/ssh'
 require 'logger'
 require 'open3'
@@ -119,11 +120,11 @@ module SSHScan
       end
 
       # Figure out what rsa or dsa fingerprints exist
-      fingerprints = {}
+      keys = {}
 
       output = ""
 
-      cmd = ['ssh-keyscan', '-t', 'rsa,dsa', '-p', port.to_s, target].join(" ")
+      cmd = ['ssh-keyscan', '-t', 'rsa,dsa,ecdsa,ed25519', '-p', port.to_s, target].join(" ")
 
       Utils::Subprocess.new(cmd) do |stdout, stderr, thread|
         if stdout
@@ -136,31 +137,27 @@ module SSHScan
 
       for i in 0..host_keys_len
         if host_keys[i].eql? "ssh-dss"
-          pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
-          fingerprints.merge!({
-            "dsa" => {
-              "known_bad" => pkey.bad_key?.to_s,
-              "md5" => pkey.fingerprint_md5,
-              "sha1" => pkey.fingerprint_sha1,
-              "sha256" => pkey.fingerprint_sha256,
-            }
-          })
+          key = SSHScan::Crypto::PublicKey.new([host_keys[i], host_keys[i + 1]].join(" "))
+          keys.merge!(key.to_hash)
         end
 
         if host_keys[i].eql? "ssh-rsa"
-          pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
-          fingerprints.merge!({
-            "rsa" => {
-              "known_bad" => pkey.bad_key?.to_s,
-              "md5" => pkey.fingerprint_md5,
-              "sha1" => pkey.fingerprint_sha1,
-              "sha256" => pkey.fingerprint_sha256,
-            }
-          })
+          key = SSHScan::Crypto::PublicKey.new([host_keys[i], host_keys[i + 1]].join(" "))
+          keys.merge!(key.to_hash)
+        end
+
+        if host_keys[i].eql? "ecdsa-sha2-nistp256"
+          key = SSHScan::Crypto::PublicKey.new([host_keys[i], host_keys[i + 1]].join(" "))
+          keys.merge!(key.to_hash)
+        end
+
+        if host_keys[i].eql? "ssh-ed25519"
+          key = SSHScan::Crypto::PublicKey.new([host_keys[i], host_keys[i + 1]].join(" "))
+          keys.merge!(key.to_hash)
         end
       end
 
-      result.fingerprints = fingerprints
+      result.keys = keys
       result.set_end_time
 
       return result
@@ -200,12 +197,10 @@ module SSHScan
       results.each do |result|
         fingerprint_db.clear_fingerprints(result.ip)
 
-        if result.fingerprints
-          result.fingerprints.values.each do |host_key_algo|
-            host_key_algo.each do |fingerprint|
-              key, value = fingerprint
-              next if key == "known_bad"
-              fingerprint_db.add_fingerprint(value, result.ip)
+        if result.keys
+          result.keys.values.each do |host_key_algo|
+            host_key_algo['fingerprints'].values.each do |fingerprint|
+              fingerprint_db.add_fingerprint(fingerprint, result.ip)
             end
           end
         end
@@ -213,20 +208,26 @@ module SSHScan
 
       # Decorate all the results with duplicate keys
       results.each do |result|
-        if result.fingerprints
+        if result.keys
           ip = result.ip
           result.duplicate_host_key_ips = []
-          result.fingerprints.values.each do |host_key_algo|
-            host_key_algo.each do |fingerprint|
-              key, value = fingerprint
-              next if key == "known_bad"
-              fingerprint_db.find_fingerprints(value).each do |other_ip|
+          result.keys.values.each do |host_key_algo|
+            host_key_algo["fingerprints"].values.each do |fingerprint|
+              fingerprint_db.find_fingerprints(fingerprint).each do |other_ip|
                 next if ip == other_ip
                 result.duplicate_host_key_ips << other_ip
               end
             end
           end
-          result.duplicate_host_key_ips
+        end
+      end
+
+      # Decorate all the results with SSHFP records
+      sshfp = SSHScan::SshFp.new()
+      results.each do |result|
+        if !result.hostname.empty?
+          dns_keys = sshfp.query(result.hostname)
+          result.dns_keys = dns_keys
         end
       end
 

data/lib/ssh_scan/ssh_fp.rb

@@ -0,0 +1,47 @@
+require 'resolv'
+
+module SSHScan
+  class SshFp
+    
+    ALGO_MAP = {
+      0 => "reserved", # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      1 => "rsa",      # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      2 => "dss",      # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      3 => "ecdsa",    # Reference: https://tools.ietf.org/html/rfc6594#section-5.3.1
+      4 => "ed25519"   # Reference: https://tools.ietf.org/html/rfc7479
+    }
+
+    
+    FPTYPE_MAP = {
+      0 => "reserved",  # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      1 => "sha1",      # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      2 => "sha256"     # Reference: https://tools.ietf.org/html/rfc6594#section-5.1.2
+    }
+
+
+    def query(fqdn)
+      sshfp_records = []
+
+      # Reference: https://stackoverflow.com/questions/28867626/how-to-use-resolvdnsresourcegeneric
+      # Note: this includes some fixes too, I'll post a direct link back to the SO article.
+      Resolv::DNS.open do |dns|
+         all_records = dns.getresources(fqdn, Resolv::DNS::Resource::IN::ANY ) rescue nil
+         all_records.each do |rr|
+            if rr.is_a? Resolv::DNS::Resource::Generic then
+               classname = rr.class.name.split('::').last
+               if classname == "Type44_Class1"
+                 data = rr.data.bytes
+                 algo = data[0].to_s
+                 fptype = data[1].to_s
+                 fp = data[2..-1]
+                 hex = fp.map{|b| b.to_s(16).rjust(2,'0') }.join(':')
+                 sshfp_records << {"fptype" => FPTYPE_MAP[fptype.to_i], "algo" => ALGO_MAP[algo.to_i], "hex" => hex}
+               end
+            end
+         end
+      end
+
+      return sshfp_records.sort_by { |k| k["hex"] }
+    end
+  end
+end

data/lib/ssh_scan/version.rb

@@ -1,3 +1,3 @@
 module SSHScan
-  VERSION = '0.0.38'
+  VERSION = '0.0.43'
 end

data/lib/string_ext.rb

@@ -69,6 +69,31 @@ class String
     end
   end
 
+  # Stolen from: https://github.com/emonti/rbkb/blob/master/lib/rbkb/extends/string.rb
+  def hexify(opts={})
+    delim = opts[:delim]
+    pre = (opts[:prefix] || "")
+    suf = (opts[:suffix] || "")
+
+    if (rx=opts[:rx]) and not rx.kind_of? Regexp
+      raise "rx must be a regular expression for a character class"
+    end
+
+    hx = [("0".."9").to_a, ("a".."f").to_a].flatten
+
+    out=Array.new
+
+    self.each_byte do |c|
+      hc = if (rx and not rx.match c.chr)
+             c.chr
+           else
+             pre + (hx[(c >> 4)] + hx[(c & 0xf )]) + suf
+           end
+      out << (hc)
+    end
+    out.join(delim)
+  end
+
   def fqdn?
     begin
       resolve_fqdn

data/ssh_scan.gemspec

@@ -32,7 +32,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency('bindata', '2.4.3')
   s.add_dependency('netaddr', '1.5.1')
-  s.add_dependency('net-ssh', '5.0.2')
+  s.add_dependency('net-ssh', '5.2.0')
   s.add_dependency('sshkey')
   s.add_development_dependency('pry', '0.11.3')
   s.add_development_dependency('rspec', '3.7.0')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ssh_scan
 version: !ruby/object:Gem::Version
-  version: 0.0.38
+  version: 0.0.43
 platform: ruby
 authors:
 - Jonathan Claudius
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2020-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -48,14 +48,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.2.0
 - !ruby/object:Gem::Dependency
   name: sshkey
   requirement: !ruby/object:Gem::Requirement
@@ -155,6 +155,7 @@ files:
 - README.md
 - Rakefile
 - bin/ssh_scan
+- config/policies/just_etm_macs.yaml
 - config/policies/mozilla_intermediate.yml
 - config/policies/mozilla_modern.yml
 - data/README
@@ -163,7 +164,6 @@ files:
 - lib/ssh_scan/banner.rb
 - lib/ssh_scan/client.rb
 - lib/ssh_scan/constants.rb
-- lib/ssh_scan/crypto.rb
 - lib/ssh_scan/error.rb
 - lib/ssh_scan/error/closed_connection.rb
 - lib/ssh_scan/error/connect_timeout.rb
@@ -188,8 +188,10 @@ files:
 - lib/ssh_scan/policy.rb
 - lib/ssh_scan/policy_manager.rb
 - lib/ssh_scan/protocol.rb
+- lib/ssh_scan/public_key.rb
 - lib/ssh_scan/result.rb
 - lib/ssh_scan/scan_engine.rb
+- lib/ssh_scan/ssh_fp.rb
 - lib/ssh_scan/ssh_lib.rb
 - lib/ssh_scan/ssh_lib/ciscossh.rb
 - lib/ssh_scan/ssh_lib/cryptlib.rb

data/lib/ssh_scan/crypto.rb

@@ -1,60 +0,0 @@
-require 'openssl'
-require 'sshkey'
-require 'base64'
-
-module SSHScan
-  # All cryptography related methods.
-  module Crypto
-    # House methods helpful in analysing SSH public keys.
-    class PublicKey
-      def initialize(key)
-        @key = key
-      end
-
-      # Is the current key known to be in our known bad key list
-      # @return [Boolean] true if this {SSHScan::Crypto::PublicKey}
-      #   instance's key is also in {SSHScan::Crypto}'s
-      #   bad_public_keys, otherwise false
-      def bad_key?
-        SSHScan::Crypto.bad_public_keys.each do |other_key|
-          if self.fingerprint_sha256 == other_key.fingerprint_sha256
-            return true
-          end
-        end
-
-        return false
-      end
-
-      # Generate MD5 fingerprint for this {SSHScan::Crypto::PublicKey} instance.
-      # @return [String] formatted MD5 fingerprint
-      def fingerprint_md5
-        OpenSSL::Digest::MD5.hexdigest(::Base64.decode64(@key)).scan(/../).join(':')
-      end
-
-      # Generate SHA1 fingerprint for this {SSHScan::Crypto::PublicKey} instance.
-      # @return [String] formatted SHA1 fingerprint
-      def fingerprint_sha1
-        OpenSSL::Digest::SHA1.hexdigest(::Base64.decode64(@key)).scan(/../).join(':')
-      end
-
-      # Generate SHA256 fingerprint for this {SSHScan::Crypto::PublicKey} instance.
-      # @return [String] formatted SHA256 fingerprint
-      def fingerprint_sha256
-        OpenSSL::Digest::SHA256.hexdigest(::Base64.decode64(@key)).scan(/../).join(':')
-      end
-    end
-
-    def self.bad_public_keys
-      bad_keys = []
-
-      Dir.glob("data/ssh-badkeys/host/*.key").each do |file_path|
-        file = File.read(File.expand_path(file_path))
-        key = SSHKey.new(file)
-        bad_keys << SSHScan::Crypto::PublicKey.new(key.ssh_public_key.split[1])
-      end
-
-      return bad_keys
-    end
-
-  end
-end