ssh_scan 0.0.40 → 0.0.41

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 876b8b5d07476eea82ba8d4a802254e625f0610258601f96a10c8f7ea2dc88c3
-  data.tar.gz: db1836ba6ec5cb21cd1a1ef09a3cbcaa41b3986329fc7779bde33ac84086aa7a
+  metadata.gz: 30ae6fc2118a4c57d91680ce36dfb5f05f04887b27e1c29c11e87a19440a220c
+  data.tar.gz: 8bb716eafcb9ddedd8141466463c12a1d18323b68a7bb01bc7c6edb02fe899ae
 SHA512:
-  metadata.gz: b3c255143c2e499923b6101f22f7befd6912274071a9edac8fe2a7d4bda7b4c00d69c0f68b5b53d6f400f57be9320d6c5f254756010d483a690aac04d8ba66ed
-  data.tar.gz: 80371f6ba9868dbf949c64f6e2d263d1dc0eb57d5317c0d8147427695bfe4c36fd2105c5727e41b384a336ddf6f1f0251525d6dad0ac6a3c3d66e9aa1a216a5e
+  metadata.gz: b54db17fe59790ef8bec162fb4bb2949ab087ff7738217263a1454ec220fae500ccb21da7776407d8196dee9fa1a729c1cc472de8a200d64cb99e87e63cb0f93
+  data.tar.gz: f8516f26b7066e50d237bec19c56c4ae81f2a007c04d1a06af4e524f900807bb5e8924a7bcc58be5c9d6cea7435430ba7f13a244038ca24c3af6dac1116b8ff5

data/CONTRIBUTING.md

@@ -27,9 +27,9 @@ inclusion, but sending a pull request is much more awesome.
 
 If you want your pull requests to be accepted, please follow the following guidelines:
 
-- [**Add tests!**](http://rspec.info/) Your patch won't be accepted (or will be delayed) if it doesn't have tests.
+- [**Add tests!**](https://rspec.info/) Your patch won't be accepted (or will be delayed) if it doesn't have tests.
 
-- [**Document any change in behaviour**](http://yardoc.org/) Make sure the README and any other
+- [**Document any change in behaviour**](https://yardoc.org/) Make sure the README and any other
   relevant documentation are kept up-to-date.
 
 - [**Create topic branches**](https://github.com/dchelimsky/rspec/wiki/Topic-Branches) Don't ask us to pull from your master branch.
@@ -37,7 +37,7 @@ If you want your pull requests to be accepted, please follow the following guide
 - [**One pull request per feature**](https://help.github.com/articles/using-pull-requests) If you want to do more than one thing, send
   multiple pull requests.
 
-- [**Send coherent history**](http://stackoverflow.com/questions/6934752/git-combining-multiple-commits-before-pushing) Make sure each individual commit in your pull
+- [**Send coherent history**](https://stackoverflow.com/questions/6934752/git-combining-multiple-commits-before-pushing) Make sure each individual commit in your pull
   request is meaningful. If you had to make multiple intermediate commits while
   developing, please squash them before sending them to us.
 

data/bin/ssh_scan

@@ -20,7 +20,7 @@ options = {
   "verbosity" => nil,
   "logger" => Logger.new(STDERR),
   "fingerprint_database" => ENV['HOME']+'/.ssh_scan_fingerprints.yml',
-  "output_type" => "json"
+  "output_type" => nil
 }
 
 # Reorder arguments before parsing
@@ -106,7 +106,8 @@ scan") do |file|
 
   opts.on("-o", "--output [FilePath]",
           "File to write JSON output to") do |file|
-    $stdout.reopen(file, "w")
+    options["output"] = file
+    # $stdout.reopen(file, "w")
   end
 
   opts.on("--output-type [json, yaml]",
@@ -238,9 +239,23 @@ options["policy_file"] = SSHScan::Policy.from_file(options["policy"])
 scan_engine = SSHScan::ScanEngine.new()
 results = scan_engine.scan(options)
 
-if options["output_type"] == "yaml"
+if options["output_type"] == "yaml" && (options["output"].nil? || options["output"].empty?)
   puts YAML.dump(results)
-elsif options["output_type"] == "json"
+elsif options["output_type"] == "json" && (options["output"].nil? || options["output"].empty?)
+  puts JSON.pretty_generate(results)
+elsif (options["output_type"].nil? || options["output_type"].empty?) && (!options["output"].nil? && options["output"].split(".").last.downcase == "yml")
+  open(options["output"], 'w') do |f|
+    f.puts YAML.dump(results)
+  end
+elsif (options["output_type"].nil? || options["output_type"].empty?) && (!options["output"].nil? && options["output"].split(".").last.downcase == "json")
+  open(options["output"], 'w') do |f|
+    f.puts JSON.pretty_generate(results)
+  end
+elsif (options["output_type"].nil? || options["output_type"].empty?) && options["output"]
+  open(options["output"], 'w') do |f|
+    f.puts JSON.pretty_generate(results)
+  end
+else
   puts JSON.pretty_generate(results)
 end
 

data/lib/ssh_scan/public_key.rb

@@ -39,10 +39,11 @@ module SSHScan
 
       def fingerprint_sha1
         SSHKey.sha1_fingerprint(@key_string)
-      end    
+      end
 
       def fingerprint_sha256
-        SSHKey.sha256_fingerprint(@key_string)
+        # We're translating this to hex because the SSHKEY default isn't as useful for comparing with SSHFP records
+        Base64.decode64(SSHKey.sha256_fingerprint(@key_string)).hexify(:delim => ":")
       end
 
       def to_hash

data/lib/ssh_scan/result.rb

@@ -157,12 +157,20 @@ module SSHScan
       @auth_methods = auth_methods
     end
 
+    def keys
+      @keys || {}
+    end
+
     def keys=(keys)
       @keys = keys
     end
 
-    def keys
-      @keys
+    def dns_keys
+      @dns_keys
+    end
+
+    def dns_keys=(dns_keys)
+      @dns_keys = dns_keys
     end
 
     def duplicate_host_key_ips=(duplicate_host_key_ips)
@@ -250,6 +258,7 @@ module SSHScan
       	"languages_server_to_client" => self.languages_server_to_client,
       	"auth_methods" => self.auth_methods,
         "keys" => self.keys,
+        "dns_keys" => self.dns_keys,
         "duplicate_host_key_ips" => self.duplicate_host_key_ips.uniq,
       	"compliance" => @compliance,
         "start_time" => self.start_time,

data/lib/ssh_scan/scan_engine.rb

@@ -3,6 +3,7 @@ require 'ssh_scan/client'
 require 'ssh_scan/public_key'
 require 'ssh_scan/fingerprint_database'
 require 'ssh_scan/subprocess'
+require 'ssh_scan/ssh_fp'
 require 'net/ssh'
 require 'logger'
 require 'open3'
@@ -221,6 +222,15 @@ module SSHScan
         end
       end
 
+      # Decorate all the results with SSHFP records
+      sshfp = SSHScan::SshFp.new()
+      results.each do |result|
+        if !result.hostname.empty?
+          dns_keys = sshfp.query(result.hostname)
+          result.dns_keys = dns_keys
+        end
+      end
+
       # Decorate all the results with compliance information
       results.each do |result|
         # Do this only when we have all the information we need

data/lib/ssh_scan/ssh_fp.rb

@@ -0,0 +1,47 @@
+require 'resolv'
+
+module SSHScan
+  class SshFp
+    
+    ALGO_MAP = {
+      0 => "reserved", # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      1 => "rsa",      # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      2 => "dss",      # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      3 => "ecdsa",    # Reference: https://tools.ietf.org/html/rfc6594#section-5.3.1
+      4 => "ed25519"   # Reference: https://tools.ietf.org/html/rfc7479
+    }
+
+    
+    FPTYPE_MAP = {
+      0 => "reserved",  # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      1 => "sha1",      # Reference: https://tools.ietf.org/html/rfc4255#section-2.4
+      2 => "sha256"     # Reference: https://tools.ietf.org/html/rfc6594#section-5.1.2
+    }
+
+
+    def query(fqdn)
+      sshfp_records = []
+
+      # Reference: https://stackoverflow.com/questions/28867626/how-to-use-resolvdnsresourcegeneric
+      # Note: this includes some fixes too, I'll post a direct link back to the SO article.
+      Resolv::DNS.open do |dns|
+         all_records = dns.getresources(fqdn, Resolv::DNS::Resource::IN::ANY ) rescue nil
+         all_records.each do |rr|
+            if rr.is_a? Resolv::DNS::Resource::Generic then
+               classname = rr.class.name.split('::').last
+               if classname == "Type44_Class1"
+                 data = rr.data.bytes
+                 algo = data[0].to_s
+                 fptype = data[1].to_s
+                 fp = data[2..-1]
+                 hex = fp.map{|b| b.to_s(16).rjust(2,'0') }.join(':')
+                 sshfp_records << {"fptype" => FPTYPE_MAP[fptype.to_i], "algo" => ALGO_MAP[algo.to_i], "hex" => hex}
+               end
+            end
+         end
+      end
+
+      return sshfp_records.sort_by { |k| k["hex"] }
+    end
+  end
+end

data/lib/ssh_scan/tests/test_dns_key_verification.rb

@@ -0,0 +1,43 @@
+module SSHScan
+  module Tests
+    class DnsKeyVerification
+      def initialize(result)
+        @result = result
+      end
+
+      def pass?
+        @result.keys.each do |key,value|
+          valid = false
+
+          @result.dns_keys.each do |dns_key|
+            if key == dns_key["algo"] &&
+               value["fingerprints"].values.include?(dns_key["hex"])
+              valid = true
+            end
+          end
+
+          # This means we fail any key that's offered that's not verifiable via information from DNS
+          return false unless valid == true
+        end
+
+        return true
+      end
+
+      def fail_description
+        if pass?
+          ""
+        else
+          "One or more of the keys offered by the SSH service were not able to be verified using an SSHFS record"
+        end
+      end
+
+      def score_deduction
+        if pass?
+          0
+        else
+          -5
+        end
+      end
+    end
+  end
+end

data/lib/ssh_scan/version.rb

@@ -1,3 +1,3 @@
 module SSHScan
-  VERSION = '0.0.40'
+  VERSION = '0.0.41'
 end

data/lib/string_ext.rb

@@ -69,6 +69,31 @@ class String
     end
   end
 
+  # Stolen from: https://github.com/emonti/rbkb/blob/master/lib/rbkb/extends/string.rb
+  def hexify(opts={})
+    delim = opts[:delim]
+    pre = (opts[:prefix] || "")
+    suf = (opts[:suffix] || "")
+
+    if (rx=opts[:rx]) and not rx.kind_of? Regexp
+      raise "rx must be a regular expression for a character class"
+    end
+
+    hx = [("0".."9").to_a, ("a".."f").to_a].flatten
+
+    out=Array.new
+
+    self.each_byte do |c|
+      hc = if (rx and not rx.match c.chr)
+             c.chr
+           else
+             pre + (hx[(c >> 4)] + hx[(c & 0xf )]) + suf
+           end
+      out << (hc)
+    end
+    out.join(delim)
+  end
+
   def fqdn?
     begin
       resolve_fqdn

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ssh_scan
 version: !ruby/object:Gem::Version
-  version: 0.0.40
+  version: 0.0.41
 platform: ruby
 authors:
 - Jonathan Claudius
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-18 00:00:00.000000000 Z
+date: 2019-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -190,6 +190,7 @@ files:
 - lib/ssh_scan/public_key.rb
 - lib/ssh_scan/result.rb
 - lib/ssh_scan/scan_engine.rb
+- lib/ssh_scan/ssh_fp.rb
 - lib/ssh_scan/ssh_lib.rb
 - lib/ssh_scan/ssh_lib/ciscossh.rb
 - lib/ssh_scan/ssh_lib/cryptlib.rb
@@ -208,6 +209,7 @@ files:
 - lib/ssh_scan/ssh_lib/unknown.rb
 - lib/ssh_scan/subprocess.rb
 - lib/ssh_scan/target_parser.rb
+- lib/ssh_scan/tests/test_dns_key_verification.rb
 - lib/ssh_scan/update.rb
 - lib/ssh_scan/version.rb
 - lib/string_ext.rb