ssh_scan 0.0.21 → 0.0.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 504c40725362aee1beeb3795b3ea1fc7eb8af8a8
-  data.tar.gz: fcd896ac346c21474fab15b925562ec5a7c6c3e6
+  metadata.gz: a161adf0202c747f948c9161675b567c6b715b4f
+  data.tar.gz: 5533118de4e0f7ef6eb26bc60adb915ffbde9cae
 SHA512:
-  metadata.gz: ed59a66f3da720810d4834c4128c1e3b5effd68e572d46664a5d4151f89d5cc95f9a0094cdc69409d5413b1f643362fcf23289a1a9cfd4fc7f2857ffd31d199e
-  data.tar.gz: e7a761c9eb05247ec41d1fa8acb0b11d7265636934c7b5d76a940d7541212fe6a3675686ee4e8055d8f9fe3fe91d0e080ddd3e7c6cdc444ae7c589f987937879
+  metadata.gz: 1c7f1fc49e71437001aa5e6cd8f8d63cadc127dde727d469e6d94002533a3f525eb69ce364d40dcf28cce05dcaf17dcb757bb51615a36f5b6497d6a289d6529d
+  data.tar.gz: 654a3c0ec780433fadd09db4bb0eb77f18bc60dc088c28e6073a8876d2f3fe717dd568180347bcc31ce8834fd5e30c4b83a19cff8ba01979587f16f40aacc403

data/.travis.yml

@@ -34,6 +34,14 @@ matrix:
       - bundle install
       - chmod 755 ./spec/ssh_scan/integration.sh
       - ./spec/ssh_scan/integration.sh
+  - rvm: 2.3.0
+    env:
+      - LABEL=docker_integration_tests
+    services:
+      - docker
+    script:
+      - docker build -t mozilla/ssh_scan .
+      - docker run -it mozilla/ssh_scan /app/spec/ssh_scan/integration.sh
   - rvm: 2.3.0
     env:
       - LABEL=docker_build_push
@@ -42,7 +50,7 @@ matrix:
     script:
       - docker build -t mozilla/ssh_scan .
       - >
-          if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then \
+          if [ [ "$TRAVIS_PULL_REQUEST" == "false" ] && [ "$TRAVIS_BRANCH" == "master" ] ]; then \
             docker login -u="$DOCKER_USER" -p="$DOCKER_PASS" ;\
             docker push mozilla/ssh_scan:latest ;\
           else \

data/README.md

@@ -28,7 +28,7 @@ To run from a docker container, type:
 
 ```bash
 docker pull mozilla/ssh_scan
-docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
+docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t sshscan.rubidus.com
 ```
 
 To install and run from source, type:
@@ -38,17 +38,6 @@ To install and run from source, type:
 git clone https://github.com/mozilla/ssh_scan.git
 cd ssh_scan
 
-# install rvm,
-# you might have to provide root to install missing packages
-gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
-curl -sSL https://get.rvm.io | bash -s stable
-
-# install Ruby 2.3.1 with rvm,
-# again, you might have to install missing devel packages
-rvm install 2.3.1
-rvm use 2.3.1
-
-# resolve dependencies
 gem install bundler
 bundle install
 
@@ -60,7 +49,7 @@ bundle install
 Run `ssh_scan -h` to get this
 
 ```bash
-ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan)
+ssh_scan v0.0.21 (https://github.com/mozilla/ssh_scan)
 
 Usage: ssh_scan [options]
     -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan

data/bin/ssh_scan

@@ -261,8 +261,7 @@ puts JSON.pretty_generate(results)
 
 if options["unit_test"] == true
   results.each do |result|
-    if result["compliance"] &&
-       result["compliance"][:compliant] == false
+    if result.compliant == false
       exit 1 #non-zero means a false
     else
       exit 0 #non-zero means pass

data/config/policies/mozilla_intermediate.yml

@@ -12,8 +12,5 @@ encryption:
 macs:
 - hmac-sha2-512
 - hmac-sha2-256
-compression:
-- none
-- zlib@openssh.com
 references:
 - https://wiki.mozilla.org/Security/Guidelines/OpenSSH

data/config/policies/mozilla_modern.yml

@@ -23,8 +23,5 @@ macs:
 - hmac-sha2-512
 - hmac-sha2-256
 - umac-128@openssh.com
-compression:
-- none
-- zlib@openssh.com
 references:
 - https://wiki.mozilla.org/Security/Guidelines/OpenSSH

data/lib/ssh_scan.rb

@@ -13,6 +13,8 @@ require 'ssh_scan/scan_engine'
 require 'ssh_scan/target_parser'
 require 'ssh_scan/update'
 require 'ssh_scan/fingerprint_database'
+require 'ssh_scan/grader'
+require 'ssh_scan/result'
 
 #Monkey Patches
 require 'string_ext'

data/lib/ssh_scan/banner.rb

@@ -21,8 +21,8 @@ module SSHScan
     #   or "SSH-number" then return the number, else return
     #   "unknown"
     def ssh_version()
-      if version = @string.match(/SSH-(\d+[\.\d+]+)/)[1]
-        return version.to_f
+      if match = @string.match(/SSH-(\d+[\.\d+]+)/)
+        return match[1].to_f
       else
         return "unknown"
       end

data/lib/ssh_scan/client.rb

@@ -6,19 +6,36 @@ require 'ssh_scan/error'
 
 module SSHScan
   class Client
-    def initialize(target, port, timeout = 3)
-      @target = target
+    def initialize(ip, port, timeout = 3)
+      @ip = ip
       @timeout = timeout
 
-      @port = port
+      @port = port.to_i
       @client_banner = SSHScan::Constants::DEFAULT_CLIENT_BANNER
       @server_banner = nil
       @kex_init_raw = SSHScan::Constants::DEFAULT_KEY_INIT.to_binary_s
     end
 
+    def ip
+      @ip
+    end
+
+    def port
+      @port
+    end
+
+    def banner
+      @server_banner
+    end
+
     def connect()
+      @error = nil
+
       begin
-        @sock = Socket.tcp(@target, @port, connect_timeout: @timeout)
+        @sock = Socket.tcp(@ip, @port, connect_timeout: @timeout)
+      rescue SocketError => e
+        @error = SSHScan::Error::ConnectionRefused.new(e.message)
+        @sock = nil
       rescue Errno::ETIMEDOUT => e
         @error = SSHScan::Error::ConnectTimeout.new(e.message)
         @sock = nil
@@ -53,58 +70,53 @@ module SSHScan
       end
     end
 
-    def get_kex_result(kex_init_raw = @kex_init_raw)
-      # Common options for all cases
-      result = {}
-      result[:ssh_scan_version] = SSHScan::VERSION
-      result[:ip] = @target
-      result[:port] = @port
+    def error?
+      !@error.nil?
+    end
 
+    def error
+      @error
+    end
+
+    def get_kex_result(kex_init_raw = @kex_init_raw)
       if !@sock
-        result[:error] = @error
-        return result
+        @error = "Socket is no longer valid"
+        return nil
       end
 
-      # Assemble and print results
-      result[:server_banner] = @server_banner.to_s
-      result[:ssh_version] = @server_banner.ssh_version
-      result[:os] = @server_banner.os_guess.common
-      result[:os_cpe] = @server_banner.os_guess.cpe
-      result[:ssh_lib] = @server_banner.ssh_lib_guess.common
-      result[:ssh_lib_cpe] = @server_banner.ssh_lib_guess.cpe
-
       begin
         @sock.write(kex_init_raw)
         resp = @sock.read(4)
 
         if resp.nil?
-          result[:error] = SSHScan::Error::NoKexResponse.new(
+          @error = SSHScan::Error::NoKexResponse.new(
             "service did not respond to our kex init request"
           )
           @sock = nil
-          return result
+          return nil
         end
 
         resp += @sock.read(resp.unpack("N").first)
         @sock.close
 
         kex_exchange_init = SSHScan::KeyExchangeInit.read(resp)
-        result.merge!(kex_exchange_init.to_hash)
       rescue Errno::ETIMEDOUT => e
         @error = SSHScan::Error::ConnectTimeout.new(e.message)
         @sock = nil
+        return nil
       rescue Errno::ECONNREFUSED,
              Errno::ENETUNREACH,
              Errno::ECONNRESET,
              Errno::EACCES,
              Errno::EHOSTUNREACH
-        result[:error] = SSHScan::Error::NoKexResponse.new(
+        @error = SSHScan::Error::NoKexResponse.new(
           "service did not respond to our kex init request"
         )
         @sock = nil
+        return nil
       end
 
-      return result
+      return kex_exchange_init.to_hash
     end
   end
 end

data/lib/ssh_scan/grader.rb

@@ -0,0 +1,32 @@
+module SSHScan
+  # A very crude means of translating # of compliance recommendations into a a grade
+  # Basic formula is 100 - (# of recommendations * 10)
+  class Grader
+    GRADE_MAP = {
+      91..100 => "A",
+      81..90 => "B",
+      71..80 => "C",
+      61..70 => "D",
+      0..60 => "F",
+    }
+
+    def initialize(result)
+      @result = result
+    end
+
+    def grade
+      score = 100
+
+      if @result.compliance_recommendations.each do |recommendation|
+          score -= 10
+        end
+      end
+
+      GRADE_MAP.each do |score_range,grade|
+        if score_range.include?(score)
+          return grade
+        end
+      end
+    end
+  end
+end

data/lib/ssh_scan/policy.rb

@@ -15,7 +15,7 @@ module SSHScan
       @compression = opts['compression'] || []
       @references = opts['references'] || []
       @auth_methods = opts['auth_methods'] || []
-      @ssh_version = opts['ssh_version'] || false
+      @ssh_version = opts['ssh_version'] || nil
     end
 
     # Generate a {SSHScan::Policy} object from YAML file.

data/lib/ssh_scan/policy_manager.rb

@@ -7,9 +7,10 @@ module SSHScan
     end
 
     def out_of_policy_encryption
+      return [] if @policy.encryption.empty?
       target_encryption =
-        @result[:encryption_algorithms_client_to_server] |
-        @result[:encryption_algorithms_server_to_client]
+        @result.encryption_algorithms_client_to_server |
+        @result.encryption_algorithms_server_to_client
       outliers = []
       target_encryption.each do |target_enc|
         outliers << target_enc unless @policy.encryption.include?(target_enc)
@@ -18,9 +19,10 @@ module SSHScan
     end
 
     def missing_policy_encryption
+      return [] if @policy.encryption.empty?
       target_encryption =
-        @result[:encryption_algorithms_client_to_server] |
-        @result[:encryption_algorithms_server_to_client]
+        @result.encryption_algorithms_client_to_server |
+        @result.encryption_algorithms_server_to_client
       outliers = []
       @policy.encryption.each do |encryption|
         if target_encryption.include?(encryption) == false
@@ -31,9 +33,10 @@ module SSHScan
     end
 
     def out_of_policy_macs
+      return [] if @policy.macs.empty?
       target_macs =
-        @result[:mac_algorithms_server_to_client] |
-        @result[:mac_algorithms_client_to_server]
+        @result.mac_algorithms_server_to_client |
+        @result.mac_algorithms_client_to_server
       outliers = []
       target_macs.each do |target_mac|
         outliers << target_mac unless @policy.macs.include?(target_mac)
@@ -42,9 +45,10 @@ module SSHScan
     end
 
     def missing_policy_macs
+      return [] if @policy.macs.empty?
       target_macs =
-        @result[:mac_algorithms_server_to_client] |
-        @result[:mac_algorithms_client_to_server]
+        @result.mac_algorithms_server_to_client |
+        @result.mac_algorithms_client_to_server
       outliers = []
 
       @policy.macs.each do |mac|
@@ -56,7 +60,8 @@ module SSHScan
     end
 
     def out_of_policy_kex
-      target_kexs = @result[:key_algorithms]
+      return [] if @policy.kex.empty?
+      target_kexs = @result.key_algorithms
       outliers = []
       target_kexs.each do |target_kex|
         outliers << target_kex unless @policy.kex.include?(target_kex)
@@ -65,7 +70,8 @@ module SSHScan
     end
 
     def missing_policy_kex
-      target_kex = @result[:key_algorithms]
+      return [] if @policy.kex.empty?
+      target_kex = @result.key_algorithms
       outliers = []
 
       @policy.kex.each do |kex|
@@ -77,9 +83,10 @@ module SSHScan
     end
 
     def out_of_policy_compression
+      return [] if @policy.compression.empty?
       target_compressions =
-        @result[:compression_algorithms_server_to_client] |
-        @result[:compression_algorithms_client_to_server]
+        @result.compression_algorithms_server_to_client |
+        @result.compression_algorithms_client_to_server
       outliers = []
       target_compressions.each do |target_compression|
         outliers << target_compression unless
@@ -89,9 +96,10 @@ module SSHScan
     end
 
     def missing_policy_compression
+      return [] if @policy.compression.empty?
       target_compressions =
-        @result[:compression_algorithms_server_to_client] |
-        @result[:compression_algorithms_client_to_server]
+        @result.compression_algorithms_server_to_client |
+        @result.compression_algorithms_client_to_server
       outliers = []
 
       @policy.compression.each do |compression|
@@ -103,9 +111,9 @@ module SSHScan
     end
 
     def out_of_policy_auth_methods
-      return [] if @result["auth_methods"].nil?
-
-      target_auth_methods = @result["auth_methods"]
+      return [] if @policy.auth_methods.empty?
+      return [] if @result.auth_methods.empty?
+      target_auth_methods = @result.auth_methods
       outliers = []
 
       if not @policy.auth_methods.empty?
@@ -119,7 +127,8 @@ module SSHScan
     end
 
     def out_of_policy_ssh_version
-      target_ssh_version = @result[:ssh_version]
+      return false if @policy.ssh_version.nil?
+      target_ssh_version = @result.ssh_version
       if @policy.ssh_version
         if target_ssh_version < @policy.ssh_version
           return true

data/lib/ssh_scan/result.rb

@@ -0,0 +1,271 @@
+require 'json'
+require 'ssh_scan/banner'
+require 'ipaddr'
+require 'string_ext'
+require 'set'
+
+module SSHScan
+  class Result
+    def initialize()
+      @version = SSHScan::VERSION
+      @fingerprints = nil
+      @duplicate_host_key_ips = Set.new()
+      @compliance = {}
+    end
+
+    def version
+      @version
+    end
+
+    def ip
+      @ip
+    end
+
+    def ip=(ip)
+      unless ip.is_a?(String) && ip.ip_addr?
+        raise ArgumentError, "Invalid attempt to set IP to a non-IP address value"
+      end
+
+      @ip = ip
+    end
+
+    def port
+      @port
+    end
+
+    def port=(port)
+      unless port.is_a?(Integer) && port > 0 && port <= 65535
+        raise ArgumentError, "Invalid attempt to set port to a non-port value"
+      end
+
+      @port = port
+    end
+
+    def banner()
+      @banner || SSHScan::Banner.new("")
+    end
+
+    def hostname=(hostname)
+      @hostname = hostname
+    end
+
+    def hostname()
+      @hostname || ""
+    end
+
+    def banner=(banner)
+      unless banner.is_a?(SSHScan::Banner)
+        raise ArgumentError, "Invalid attempt to set banner with a non-banner object"
+      end
+
+      @banner = banner
+    end
+
+    def ssh_version
+      self.banner.ssh_version
+    end
+
+    def os_guess_common
+      self.banner.os_guess.common
+    end
+
+    def os_guess_cpe
+      self.banner.os_guess.cpe
+    end
+
+    def ssh_lib_guess_common
+      self.banner.ssh_lib_guess.common
+    end
+
+    def ssh_lib_guess_cpe
+      self.banner.ssh_lib_guess.cpe
+    end
+
+    def cookie
+      @cookie || ""
+    end
+
+    def key_algorithms
+      @hex_result_hash ? @hex_result_hash[:key_algorithms] : []
+    end
+
+    def server_host_key_algorithms
+      @hex_result_hash ? @hex_result_hash[:server_host_key_algorithms] : []
+    end
+
+    def encryption_algorithms_client_to_server
+      @hex_result_hash ? @hex_result_hash[:encryption_algorithms_client_to_server] : []
+    end
+
+    def encryption_algorithms_server_to_client
+      @hex_result_hash ? @hex_result_hash[:encryption_algorithms_server_to_client] : []
+    end
+
+    def mac_algorithms_client_to_server
+      @hex_result_hash ? @hex_result_hash[:mac_algorithms_client_to_server] : []
+    end
+
+    def mac_algorithms_server_to_client
+      @hex_result_hash ? @hex_result_hash[:mac_algorithms_server_to_client] : []
+    end
+
+    def compression_algorithms_client_to_server
+      @hex_result_hash ? @hex_result_hash[:compression_algorithms_client_to_server] : []
+    end
+
+    def compression_algorithms_server_to_client
+      @hex_result_hash ? @hex_result_hash[:compression_algorithms_server_to_client] : []
+    end
+
+    def languages_client_to_server
+      @hex_result_hash ? @hex_result_hash[:languages_client_to_server] : []
+    end
+
+    def languages_server_to_client
+      @hex_result_hash ? @hex_result_hash[:languages_server_to_client] : []
+    end
+
+    def set_kex_result(kex_result)
+      @hex_result_hash = kex_result.to_hash
+    end
+
+    def set_start_time
+      @start_time = Time.now
+    end
+
+    def start_time
+      @start_time
+    end
+
+    def set_end_time
+      @end_time = Time.now
+    end
+
+    def scan_duration
+      if start_time.nil?
+        raise "Cannot calculate scan duration without start_time set"
+      end
+
+      if end_time.nil?
+        raise "Cannot calculate scan duration without end_time set"
+      end
+
+      end_time - start_time
+    end
+
+    def end_time
+      @end_time
+    end
+
+    def auth_methods=(auth_methods)
+      @auth_methods = auth_methods
+    end
+
+    def fingerprints=(fingerprints)
+      @fingerprints = fingerprints
+    end
+
+    def fingerprints
+      @fingerprints
+    end
+
+    def duplicate_host_key_ips=(duplicate_host_key_ips)
+      @duplicate_host_key_ips = duplicate_host_key_ips
+    end
+
+    def duplicate_host_key_ips
+      @duplicate_host_key_ips
+    end
+
+    def auth_methods()
+      @auth_methods || []
+    end
+
+    def set_compliance=(compliance)
+      @compliance = compliance
+    end
+
+    def compliance_policy
+      @compliance[:policy]
+    end
+
+    def compliant?
+      @compliance[:compliant]
+    end
+
+    def compliance_references
+      @compliance[:references]
+    end
+
+    def compliance_recommendations
+      @compliance[:recommendations]
+    end
+
+    def set_client_attributes(client)
+      self.ip = client.ip
+      self.port = client.port || 22
+      self.banner = client.banner || SSHScan::Banner.new("")
+    end
+
+    def error=(error)
+      @error = error.to_s
+    end
+
+    def error?
+      !@error.nil?
+    end
+
+    def error
+      @error
+    end
+
+    def grade=(grade)
+      @compliance_grade = grade
+    end
+
+    def grade
+      @compliance_grade
+    end
+
+    def to_hash
+      hashed_object = {
+      	"ssh_scan_version" => self.version,
+      	"ip" => self.ip,
+        "hostname" => self.hostname,
+      	"port" => self.port,
+      	"server_banner" => self.banner.to_s,
+      	"ssh_version" => self.ssh_version,
+      	"os" => self.os_guess_common,
+      	"os_cpe" => self.os_guess_cpe,
+      	"ssh_lib" => self.ssh_lib_guess_common,
+      	"ssh_lib_cpe" => self.ssh_lib_guess_cpe,
+      	"key_algorithms" => self.key_algorithms,
+      	"encryption_algorithms_client_to_server" => self.encryption_algorithms_client_to_server,
+      	"encryption_algorithms_server_to_client" => self.encryption_algorithms_server_to_client,
+      	"mac_algorithms_client_to_server" => self.mac_algorithms_client_to_server,
+      	"mac_algorithms_server_to_client" => self.mac_algorithms_server_to_client,
+      	"compression_algorithms_client_to_server" => self.compression_algorithms_client_to_server,
+      	"compression_algorithms_server_to_client" => self.compression_algorithms_server_to_client,
+      	"languages_client_to_server" => self.languages_client_to_server,
+      	"languages_server_to_client" => self.languages_server_to_client,
+      	"auth_methods" => self.auth_methods,
+        "fingerprints" => self.fingerprints,
+        "duplicate_host_key_ips" => self.duplicate_host_key_ips,
+      	"compliance" => @compliance,
+        "start_time" => self.start_time,
+        "end_time" => self.end_time,
+        "scan_duration_seconds" => self.scan_duration,
+      }
+
+      if self.error?
+        hashed_object.error = self.error
+      end
+
+      hashed_object
+    end
+
+    def to_json
+      self.to_hash.to_json
+    end
+  end
+end

data/lib/ssh_scan/scan_engine.rb

@@ -4,6 +4,7 @@ require 'ssh_scan/crypto'
 #require 'ssh_scan/fingerprint_database'
 require 'net/ssh'
 require 'logger'
+require 'open3'
 
 module SSHScan
   # Handle scanning of targets.
@@ -19,41 +20,65 @@ module SSHScan
         port = 22
       end
       timeout = opts["timeout"]
-      result = []
+      
+      result = SSHScan::Result.new()
+      result.port = port.to_i
 
-      start_time = Time.now
+      # Start the scan timer
+      result.set_start_time
 
       if target.fqdn?
+        result.hostname = target
+
+        # If doesn't resolve as IPv6, we'll try IPv4
         if target.resolve_fqdn_as_ipv6.nil?
           client = SSHScan::Client.new(
             target.resolve_fqdn_as_ipv4.to_s, port, timeout
           )
           client.connect()
-          result = client.get_kex_result()
-          result[:hostname] = target
-          return result if result.include?(:error)
+          result.set_client_attributes(client)
+          kex_result = client.get_kex_result()
+          result.set_kex_result(kex_result) unless kex_result.nil?
+          result.error = client.error if client.error?
+        # If it does resolve as IPv6, we're try IPv6
         else
           client = SSHScan::Client.new(
             target.resolve_fqdn_as_ipv6.to_s, port, timeout
           )
           client.connect()
-          result = client.get_kex_result()
-          if result.include?(:error)
+          result.set_client_attributes(client)
+          kex_result = client.get_kex_result()
+          result.set_kex_result(kex_result) unless kex_result.nil?
+          result.error = client.error if client.error?
+
+          # If resolves as IPv6, but somehow we get an client error, fall-back to IPv4
+          if result.error?
             client = SSHScan::Client.new(
               target.resolve_fqdn_as_ipv4.to_s, port, timeout
             )
             client.connect()
-            result = client.get_kex_result()
-            result[:hostname] = target
-            return result if result.include?(:error)
+            result.set_client_attributes(client)
+            kex_result = client.get_kex_result()
+            result.set_kex_result(kex_result) unless kex_result.nil?
+            result.error = client.error if client.error?
           end
         end
       else
         client = SSHScan::Client.new(target, port, timeout)
         client.connect()
-        result = client.get_kex_result()
-        result[:hostname] = target.resolve_ptr
-        return result if result.include?(:error)
+        result.set_client_attributes(client)
+        kex_result = client.get_kex_result()
+        result.set_kex_result(kex_result)
+
+        # Attempt to suppliment a hostname that wasn't provided
+        result.hostname = target.resolve_ptr
+        
+        result.error = client.error if client.error?
+      end
+
+      if result.error?
+        result.set_end_time
+        return result
       end
 
       # Connect and get results (Net-SSH)
@@ -69,57 +94,54 @@ module SSHScan
           net_ssh_session, :auth_methods => ["none"]
         )
         auth_session.authenticate("none", "test", "test")
-        result['auth_methods'] = auth_session.allowed_auth_methods
+        result.auth_methods = auth_session.allowed_auth_methods
         net_ssh_session.close
       rescue Net::SSH::ConnectionTimeout => e
-        result[:error] = e
-        result[:error] = SSHScan::Error::ConnectTimeout.new(e.message)
+        result.error = SSHScan::Error::ConnectTimeout.new(e.message)
       rescue Net::SSH::Disconnect => e
-        result[:error] = e
-        result[:error] = SSHScan::Error::Disconnected.new(e.message)
+        result.error = SSHScan::Error::Disconnected.new(e.message)
       rescue Net::SSH::Exception => e
         if e.to_s.match(/could not settle on/)
-          result[:error] = e
+          result.error = e
         else
           raise e
         end
-      else
-        result['fingerprints'] = {}
-        host_keys = `ssh-keyscan -t rsa,dsa #{target} 2>/dev/null`.split
-        host_keys_len = host_keys.length - 1
-
-        for i in 0..host_keys_len
-          if host_keys[i].eql? "ssh-dss"
-            pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
-            result['fingerprints'].merge!({
-              "dsa" => {
-                "known_bad" => pkey.bad_key?.to_s,
-                "md5" => pkey.fingerprint_md5,
-                "sha1" => pkey.fingerprint_sha1,
-                "sha256" => pkey.fingerprint_sha256,
-              }
-            })
-          end
+      end
 
-          if host_keys[i].eql? "ssh-rsa"
-            pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
-            result['fingerprints'].merge!({
-              "rsa" => {
-                "known_bad" => pkey.bad_key?.to_s,
-                "md5" => pkey.fingerprint_md5,
-                "sha1" => pkey.fingerprint_sha1,
-                "sha256" => pkey.fingerprint_sha256,
-              }
-            })
-          end
+      # Figure out what rsa or dsa fingerprints exist
+      fingerprints = {}
+
+      host_keys = `ssh-keyscan -t rsa,dsa #{target} 2>/dev/null`.split
+      host_keys_len = host_keys.length - 1
+
+      for i in 0..host_keys_len
+        if host_keys[i].eql? "ssh-dss"
+          pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
+          fingerprints.merge!({
+            "dsa" => {
+              "known_bad" => pkey.bad_key?.to_s,
+              "md5" => pkey.fingerprint_md5,
+              "sha1" => pkey.fingerprint_sha1,
+              "sha256" => pkey.fingerprint_sha256,
+            }
+          })
+        end
+
+        if host_keys[i].eql? "ssh-rsa"
+          pkey = SSHScan::Crypto::PublicKey.new(host_keys[i + 1])
+          fingerprints.merge!({
+            "rsa" => {
+              "known_bad" => pkey.bad_key?.to_s,
+              "md5" => pkey.fingerprint_md5,
+              "sha1" => pkey.fingerprint_sha1,
+              "sha256" => pkey.fingerprint_sha256,
+            }
+          })
         end
       end
 
-      # Add scan times
-      end_time = Time.now
-      result['start_time'] = start_time.to_s
-      result['end_time'] = end_time.to_s
-      result['scan_duration_seconds'] = end_time - start_time
+      result.fingerprints = fingerprints
+      result.set_end_time
 
       return result
     end
@@ -156,13 +178,14 @@ module SSHScan
         opts['fingerprint_database']
       )
       results.each do |result|
-        fingerprint_db.clear_fingerprints(result[:ip])
-        if result['fingerprints']
-          result['fingerprints'].values.each do |host_key_algo|
+        fingerprint_db.clear_fingerprints(result.ip)
+
+        if result.fingerprints
+          result.fingerprints.values.each do |host_key_algo|
             host_key_algo.each do |fingerprint|
               key, value = fingerprint
               next if key == "known_bad"
-              fingerprint_db.add_fingerprint(value, result[:ip])
+              fingerprint_db.add_fingerprint(value, result.ip)
             end
           end
         end
@@ -170,45 +193,48 @@ module SSHScan
 
       # Decorate all the results with duplicate keys
       results.each do |result|
-        if result['fingerprints']
-          ip = result[:ip]
-          result['duplicate_host_key_ips'] = []
-          result['fingerprints'].values.each do |host_key_algo|
+        if result.fingerprints
+          ip = result.ip
+          result.duplicate_host_key_ips = []
+          result.fingerprints.values.each do |host_key_algo|
             host_key_algo.each do |fingerprint|
               key, value = fingerprint
               next if key == "known_bad"
               fingerprint_db.find_fingerprints(value).each do |other_ip|
                 next if ip == other_ip
-                result['duplicate_host_key_ips'] << other_ip
+                result.duplicate_host_key_ips << other_ip
               end
             end
           end
-          result['duplicate_host_key_ips'].uniq!
+          result.duplicate_host_key_ips
         end
       end
 
       # Decorate all the results with compliance information
       results.each do |result|
         # Do this only when we have all the information we need
-        if !opts["policy"].nil? &&
-           !result[:key_algorithms].nil? &&
-           !result[:server_host_key_algorithms].nil? &&
-           !result[:encryption_algorithms_client_to_server].nil? &&
-           !result[:encryption_algorithms_server_to_client].nil? &&
-           !result[:mac_algorithms_client_to_server].nil? &&
-           !result[:mac_algorithms_server_to_client].nil? &&
-           !result[:compression_algorithms_client_to_server].nil? &&
-           !result[:compression_algorithms_server_to_client].nil? &&
-           !result[:languages_client_to_server].nil? &&
-           !result[:languages_server_to_client].nil?
+        if opts["policy"] &&
+           result.key_algorithms.any? &&
+           result.server_host_key_algorithms.any? &&
+           result.encryption_algorithms_client_to_server.any? &&
+           result.encryption_algorithms_server_to_client.any? &&
+           result.mac_algorithms_client_to_server.any? &&
+           result.mac_algorithms_server_to_client.any? &&
+           result.compression_algorithms_client_to_server.any? &&
+           result.compression_algorithms_server_to_client.any?
 
           policy = SSHScan::Policy.from_file(opts["policy"])
           policy_mgr = SSHScan::PolicyManager.new(result, policy)
-          result['compliance'] = policy_mgr.compliance_results
+          result.set_compliance = policy_mgr.compliance_results
+
+          if result.compliance_policy
+            grader = SSHScan::Grader.new(result)
+            result.grade = grader.grade
+          end
         end
       end
 
-      return results
+      return results.map {|r| r.to_hash}
     end
   end
 end

data/lib/ssh_scan/version.rb

@@ -1,3 +1,3 @@
 module SSHScan
-  VERSION = '0.0.21'
+  VERSION = '0.0.22'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ssh_scan
 version: !ruby/object:Gem::Version
-  version: 0.0.21
+  version: 0.0.22
 platform: ruby
 authors:
 - Jonathan Claudius
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-25 00:00:00.000000000 Z
+date: 2017-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -351,6 +351,7 @@ files:
 - lib/ssh_scan/error/no_banner.rb
 - lib/ssh_scan/error/no_kex_response.rb
 - lib/ssh_scan/fingerprint_database.rb
+- lib/ssh_scan/grader.rb
 - lib/ssh_scan/os.rb
 - lib/ssh_scan/os/centos.rb
 - lib/ssh_scan/os/cisco.rb
@@ -366,6 +367,7 @@ files:
 - lib/ssh_scan/policy.rb
 - lib/ssh_scan/policy_manager.rb
 - lib/ssh_scan/protocol.rb
+- lib/ssh_scan/result.rb
 - lib/ssh_scan/scan_engine.rb
 - lib/ssh_scan/ssh_lib.rb
 - lib/ssh_scan/ssh_lib/ciscossh.rb