ssh_scan 0.0.8 → 0.0.9.beta.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1a02e7aa137511342eb655ddb1040cfbe8f39e47
-  data.tar.gz: 0db6be22ce2c16b3d389c742142f97b1288c422f
+  metadata.gz: c1c87c8107e90d90c415e7bc82fa379a8b0f53b4
+  data.tar.gz: fe3e44a14d6eb1f93a8a86423150520c187dfb70
 SHA512:
-  metadata.gz: 298a42ca4f082a1c733e30189988506b3b99d0e08aeb406daee23047242a5e4e73dd44e0845fd36ae13b3a67b59c0db6fe35b41840a08e7931833beba90c9ed6
-  data.tar.gz: abb0db799fe454f328e7043f9479427e09fc76360992401f4cf90e0b9db5068589cd14569d2921c56930520497a02171945bbcc08940ef1e46a837c1717072c1
+  metadata.gz: c0fe202b82f180482f8c56690b89f26a99966a8c1de2f454e29c5d4bc8490a796fdd5ae88f36a74eed42cb1c438fa5c579662571042b9e3e35157e2c4fcd171d
+  data.tar.gz: 3efc0086e634f5c2119e5de4e4b118844c0c62ba2eb3fbe912e48c51a64c44c5812cb7763e18f59817e1bb1721cb6b647819f733359aa250c18726be3f05573a

data/.travis.yml

@@ -1,5 +1,7 @@
 language: ruby
 rvm:
+  - 2.3.0
+  - 2.2.0
   - 2.1.3
   - 2.1.0
   - 2.0.0

data/README.md

@@ -8,26 +8,41 @@ A SSH configuration and policy scanner
 
 ## Key Benefits
 
-- **Minimal Dependancies** - Uses native Ruby and BinData to do it's work, no heavy dependancies.
+- **Minimal Dependancies** - Uses native Ruby and BinData to do its work, no heavy dependancies.
 - **Not Just a Script** - Implementation is portable for use in another project or for automation of tasks.
-- **Simple** - Just point ssh_scan at an SSH service and get a JSON report of what is supports and it's policy status
+- **Simple** - Just point `ssh_scan` at an SSH service and get a JSON report of what it supports and its policy status.
 - **Configurable** - Make your own custom policies that fit your unique policy requirements.
 
 ## Setup
 
-To install as a gem, type
+To install as a gem, type:
 
 ```bash
 gem install ssh_scan
 ssh_scan
 ```
 
-To install from source, type
+To install from source, type:
 
 ```bash
+# clone repo
 git clone https://github.com/mozilla/ssh_scan.git
 cd ssh_scan
-gem install bindata
+
+# install rvm,
+# you might have to provide root to install missing packages
+gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
+curl -sSL https://get.rvm.io | bash -s stable
+
+# install Ruby 2.1.3 with rvm,
+# again, you might have to install missing devel packages
+rvm install 2.1.3
+rvm use 2.1.3
+
+# resolve dependencies
+gem install bundler
+bundle install
+
 ./bin/ssh_scan
 ```
 
@@ -54,32 +69,29 @@ Run `ssh_scan -h` to get this
       ssh_scan -t 192.168.1.1 -P custom_policy.yml
       ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
 
-See here for [example video](https://asciinema.org/a/7pliiw5zqhj7eqvz7q437u6vx)
-
-See here for [example output](https://github.com/mozilla/ssh_scan/blob/master/examples/192.168.1.1.json)
-
-See here for [example policies](https://github.com/mozilla/ssh_scan/blob/master/policies)
+- See here for [example video](https://asciinema.org/a/7pliiw5zqhj7eqvz7q437u6vx)
+- See here for [example output](https://github.com/mozilla/ssh_scan/blob/master/examples/192.168.1.1.json)
+- See here for [example policies](https://github.com/mozilla/ssh_scan/blob/master/policies)
 
 ## Rubies Supported
 
 This project is integrated with [travis-ci](http://about.travis-ci.org/) and is regularly tested to work with the following rubies:
 
+* [ruby-head](https://github.com/ruby/ruby)
+* [2.3.0](https://github.com/ruby/ruby/tree/ruby_2_1)
+* [2.2.0](https://github.com/ruby/ruby/tree/ruby_2_1)
 * [2.1.3](https://github.com/ruby/ruby/tree/ruby_2_1)
 * [2.1.0](https://github.com/ruby/ruby/tree/ruby_2_1)
 * [2.0.0](https://github.com/ruby/ruby/tree/ruby_2_0_0)
-* [1.9.3](https://github.com/ruby/ruby/tree/ruby_1_9_3)
-* [ruby-head](https://github.com/ruby/ruby)
-* [jruby-head](http://jruby.org/)
-* [jruby-19mode](http://jruby.org/)
 
 To checkout the current build status for these rubies, click [here](https://travis-ci.org/#!/mozilla/ssh_scan).
 
 ## Contributing
 
-If you are interested in contributing to this project, please see [CONTRIBUTING.md](https://github.com/mozilla/ssh_scan/blob/master/CONTRIBUTING.md)
+If you are interested in contributing to this project, please see [CONTRIBUTING.md](https://github.com/mozilla/ssh_scan/blob/master/CONTRIBUTING.md).
 
 ## Credits
 
 **Sources of Inspiration for ssh_scan**
 
-- [**Mozilla OpenSSH Security Guide**](https://wiki.mozilla.org/Security/Guidelines/OpenSSH) - For providing a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, Macs, and KexAlgos).
+- [**Mozilla OpenSSH Security Guide**](https://wiki.mozilla.org/Security/Guidelines/OpenSSH) - For providing a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, MACs, and KexAlgos).

data/bin/ssh_scan

@@ -5,10 +5,11 @@ $:.unshift File.join(File.dirname(__FILE__), "../lib")
 
 require 'ssh_scan'
 require 'optparse'
+require 'netaddr'
 
 #Default options
 options = {
-  :target => nil,
+  :targets => [],
   :port => 22,
   :policy => File.expand_path("../../policies/mozilla_modern.yml", __FILE__),
   :unit_test => false
@@ -17,9 +18,26 @@ opt_parser = OptionParser.new do |opts|
   opts.banner = "ssh_scan v#{SSHScan::VERSION} (https://github.com/mozilla/ssh_scan)\n\n" +
                 "Usage: ssh_scan [options]"
 
-  opts.on("-t", "--target [IP/Hostname]",
-          "IP/Hostname (IPv4/IPv6/FQDNs)") do |ip|
-    options[:target] = ip
+  opts.on("-t", "--target [IP/Hostname]", Array,
+          "IP/Hostname (IPv4/IPv6/FQDNs)") do |ips|
+    ips.each do |ip|
+      if ip.fqdn?
+        options[:targets] += [ip]
+      else
+        options[:targets] += NetAddr::CIDR.create(ip).enumerate
+      end
+    end
+  end
+
+  opts.on("-f", "--file [FilePath]",
+          "File Path of the file containing IPs") do |file|
+    txt = open(file)
+    options[:targets] = txt.read.chomp.split(',')
+  end
+
+  opts.on("-o", "--outputFile [FilePath]",
+          "Writing JSON documents to disk") do |file|
+    $stdout.reopen(file, "w")
   end
 
   opts.on("-p", "--port [PORT]",
@@ -49,6 +67,8 @@ opt_parser = OptionParser.new do |opts|
     puts "\n  ssh_scan -t 192.168.1.1"
     puts "  ssh_scan -t server.example.com"
     puts "  ssh_scan -t ::1"
+    puts "  ssh_scan -f filePath"
+    puts "  ssh_scan -o filePath"
     puts "  ssh_scan -t 192.168.1.1 -p 22222"
     puts "  ssh_scan -t 192.168.1.1 -P custom_policy.yml"
     puts "  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml"
@@ -59,16 +79,18 @@ end
 
 opt_parser.parse!
 
-if options[:target].nil?
+if options[:targets].nil?
   puts opt_parser.help
   puts "\nReason: no target specified"
   exit
 end
 
-unless options[:target].ip_addr? || options[:target].fqdn?
-  puts opt_parser.help
-  puts "\nReason: #{options[:target]} is not a valid target"
-  exit
+options[:targets].each do |target|
+  unless target.ip_addr? || target.fqdn?
+    puts opt_parser.help
+    puts "\nReason: #{options[:targets]} is not a valid target"
+    exit
+  end
 end
 
 unless (0..65535).include?(options[:port])
@@ -87,12 +109,14 @@ options[:policy_file] = SSHScan::Policy.from_file(options[:policy])
 
 # Perform scan and get results
 scan_engine = SSHScan::ScanEngine.new()
-result = scan_engine.scan(options)
+results = scan_engine.scan(options)
 
-puts JSON.pretty_generate(result)
+puts JSON.pretty_generate(results)
 
-if result["compliance"] && result["compliance"][:compliant] == false
-  exit 1 #non-zero means a false
-else
-  exit 0 #non-zero means pass
+results.each do |result|
+  if result["compliance"] && result["compliance"][:compliant] == false
+    exit 1 #non-zero means a false
+  else
+    exit 0 #non-zero means pass
+  end
 end

data/lib/ssh_scan/banner.rb

@@ -22,7 +22,7 @@ module SSHScan
     def ssh_lib_guess()
       case @string
       when /OpenSSH/i
-        return SSHScan::SSHLib::OpenSSH.new()
+        return SSHScan::SSHLib::OpenSSH.new(@string)
       when /LibSSH/i
         return SSHScan::SSHLib::LibSSH.new()
       else
@@ -36,10 +36,14 @@ module SSHScan
         return SSHScan::OS::Ubuntu.new
       when /CentOS/i
         return SSHScan::OS::CentOS.new
+      when /RHEL|RedHat/i
+        return SSHScan::OS::RedHat.new
       when /FreeBSD/i
         return SSHScan::OS::FreeBSD.new
       when /Debian/i
         return SSHScan::OS::Debian.new
+      when /Windows/i
+        return SSHScan::OS::Windows.new
       else
         return SSHScan::OS::Unknown.new
       end

data/lib/ssh_scan/os/redhat.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class RedHat
+      def common
+        "redhat"
+      end
+
+      def cpe
+        "o:redhat:redhat"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os/ubuntu.rb

@@ -6,7 +6,7 @@ module SSHScan
       end
 
       def cpe
-        "o:canonical:freebsd"
+        "o:canonical:ubuntu"
       end
     end
   end

data/lib/ssh_scan/os/windows.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class Windows
+      def common
+        "windows"
+      end
+
+      def cpe
+        "o:microsoft:windows"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os.rb

@@ -2,4 +2,6 @@ require 'ssh_scan/os/centos'
 require 'ssh_scan/os/debian'
 require 'ssh_scan/os/freebsd'
 require 'ssh_scan/os/ubuntu'
+require 'ssh_scan/os/windows'
+require 'ssh_scan/os/redhat'
 require 'ssh_scan/os/unknown'

data/lib/ssh_scan/policy_manager.rb

@@ -103,10 +103,10 @@ module SSHScan
       recommendations = []
 
       # Add these items to be compliant
-      recommendations << "Add these Key Exchange Algos: #{missing_policy_kex.join(", ")}" unless missing_policy_kex.empty?
-      recommendations << "Add these MAC Algos: #{missing_policy_macs.join(", ")}" unless missing_policy_macs.empty?
-      recommendations << "Add these Encryption Ciphers: #{missing_policy_encryption.join(", ")}" unless missing_policy_encryption.empty?
-      recommendations << "Add these Compression Algos: #{missing_policy_compression.join(", ")}" unless missing_policy_compression.empty?
+      recommendations << "Add these Key Exchange Algos: #{missing_policy_kex.join(",")}" unless missing_policy_kex.empty?
+      recommendations << "Add these MAC Algos: #{missing_policy_macs.join(",")}" unless missing_policy_macs.empty?
+      recommendations << "Add these Encryption Ciphers: #{missing_policy_encryption.join(",")}" unless missing_policy_encryption.empty?
+      recommendations << "Add these Compression Algos: #{missing_policy_compression.join(",")}" unless missing_policy_compression.empty?
 
       # Remove these items to be compliant
       recommendations << "Remove these Key Exchange Algos: #{out_of_policy_kex.join(", ")}" unless out_of_policy_kex.empty?

data/lib/ssh_scan/scan_engine.rb

@@ -6,49 +6,56 @@ module SSHScan
   class ScanEngine
 
     def scan(opts)
-      target = opts[:target]
+      targets = opts[:targets]
       port = opts[:port]
       policy = opts[:policy_file]
 
       # Connect and get results (native)
-      client = SSHScan::Client.new(target, port)
-      client.connect()
-      result = client.get_kex_result()
-
-      # Connect and get results (Net-SSH)
-      net_ssh_session = Net::SSH::Transport::Session.new(target)
-      auth_session = Net::SSH::Authentication::Session.new(net_ssh_session, :auth_methods => ["none"])
-      auth_session.authenticate("none", "test", "test")
-      result['auth_methods'] = auth_session.allowed_auth_methods
-      host_key = net_ssh_session.host_keys.first
-      net_ssh_session.close
-
-      # only supporting RSA for the moment
-      unless OpenSSL::PKey::RSA
-        raise "Unknown host key type, need to add this host_key type"
+      result = []
+      targets.each_with_index do |target, index|
+        client = SSHScan::Client.new(target, port)
+        client.connect()
+        result.push(client.get_kex_result())
+
+        # Connect and get results (Net-SSH)
+        net_ssh_session = Net::SSH::Transport::Session.new(target, :port => port)
+        auth_session = Net::SSH::Authentication::Session.new(net_ssh_session, :auth_methods => ["none"])
+        auth_session.authenticate("none", "test", "test")
+        result[index]['auth_methods'] = auth_session.allowed_auth_methods
+        host_key = net_ssh_session.host_keys.first
+        net_ssh_session.close
+
+        # only supporting RSA for the moment
+        unless host_key.is_a?(OpenSSL::PKey::RSA)
+          raise "Unknown host key type, need to add this host_key type"
+        end
+
+        # only supporting RSA for the moment
+        unless OpenSSL::PKey::RSA
+          raise "Unknown host key type, need to add this host_key type"
+        end
+
+        data_string = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer.new(host_key.public_key.n),
+          OpenSSL::ASN1::Integer.new(host_key.public_key.e)
+        ])
+
+        fingerprint_md5 = OpenSSL::Digest::MD5.hexdigest(data_string.to_der).scan(/../).join(':')
+        fingerprint_sha1 = OpenSSL::Digest::SHA1.hexdigest(data_string.to_der).scan(/../).join(':')
+        fingerprint_sha256 = OpenSSL::Digest::SHA256.hexdigest(data_string.to_der).scan(/../).join(':')
+
+        result[index]['fingerprints'] = {
+          "md5" => fingerprint_md5,
+          "sha1" => fingerprint_sha1,
+          "sha256" => fingerprint_sha256,
+        }
+
+        # If policy defined, then add compliance results
+        unless policy.nil?
+          policy_mgr = SSHScan::PolicyManager.new(result[index], policy)
+          result[index]['compliance'] = policy_mgr.compliance_results
+        end
       end
-
-      data_string = OpenSSL::ASN1::Sequence([
-        OpenSSL::ASN1::Integer.new(host_key.public_key.n),
-        OpenSSL::ASN1::Integer.new(host_key.public_key.e)
-      ])
-
-      fingerprint_md5 = OpenSSL::Digest::MD5.hexdigest(data_string.to_der).scan(/../).join(':')
-      fingerprint_sha1 = OpenSSL::Digest::SHA1.hexdigest(data_string.to_der).scan(/../).join(':')
-      fingerprint_sha256 = OpenSSL::Digest::SHA256.hexdigest(data_string.to_der).scan(/../).join(':')
-
-      result['fingerprints'] = {
-        "md5" => fingerprint_md5,
-        "sha1" => fingerprint_sha1,
-        "sha256" => fingerprint_sha256,
-      }
-
-      # If policy defined, then add compliance results
-      unless policy.nil?
-        policy_mgr = SSHScan::PolicyManager.new(result, policy)
-        result['compliance'] = policy_mgr.compliance_results
-      end
-
       return result
     end
   end

data/lib/ssh_scan/ssh_lib/openssh.rb

@@ -1,12 +1,33 @@
 module SSHScan
   module SSHLib
     class OpenSSH
+      class Version
+        def initialize(version_string)
+          @version_string = version_string
+        end
+
+        def to_s
+          @version_string
+        end
+      end
+
+      def initialize(banner = nil)
+        @banner = banner
+      end
+
+      def version()
+        return nil if @banner.nil?
+        match = @banner.match(/OpenSSH_(\d+[\.\d+]+(p)?(\d+)?)/)
+        return nil if match.nil?
+        return OpenSSH::Version.new(match[1])
+      end
+
       def common
         "openssh"
       end
 
       def cpe
-        "a:openssh:openssh"
+        "a:openssh:openssh" << (":" + version.to_s) unless version.nil?
       end
     end
   end

data/lib/ssh_scan/version.rb

@@ -1,3 +1,3 @@
 module SSHScan
-  VERSION = '0.0.8'
+  VERSION = '0.0.9.beta.1'
 end

data/ssh_scan.gemspec

@@ -28,6 +28,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency('bindata', '~> 2.0')
   s.add_dependency('net-ssh')
+  s.add_dependency('netaddr')
   s.add_development_dependency('pry')
   s.add_development_dependency('rspec', '~> 3.0')
   s.add_development_dependency('rspec-its', '~> 1.2')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssh_scan
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.9.beta.1
 platform: ruby
 authors:
 - Jonathan Claudius
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-08-09 00:00:00.000000000 Z
+date: 2016-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: netaddr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -118,8 +132,10 @@ files:
 - lib/ssh_scan/os/centos.rb
 - lib/ssh_scan/os/debian.rb
 - lib/ssh_scan/os/freebsd.rb
+- lib/ssh_scan/os/redhat.rb
 - lib/ssh_scan/os/ubuntu.rb
 - lib/ssh_scan/os/unknown.rb
+- lib/ssh_scan/os/windows.rb
 - lib/ssh_scan/policy.rb
 - lib/ssh_scan/policy_manager.rb
 - lib/ssh_scan/protocol.rb
@@ -148,9 +164,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.6.2