ssh_scan 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +6 -4
- data/bin/ssh_scan +32 -5
- data/lib/ssh_scan/client.rb +15 -7
- data/lib/ssh_scan/policy_manager.rb +1 -1
- data/lib/ssh_scan/scan_engine.rb +6 -2
- data/lib/ssh_scan/version.rb +1 -1
- data/lib/string_ext.rb +33 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 523f33ca35c02c11f2a59a1cab89e06cc6dbed10
|
4
|
+
data.tar.gz: e94e1d5cfb9df79e4e32e09e34d7e2670bafe223
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 499ca37ef4d13b353074a9ee3ea03484c87f1f633a8e4b02b93f4014f5b9be2cf4700ff0b28ab2b101e2ab491bdb7a85672379bb691b98b20d388be41ab38d33
|
7
|
+
data.tar.gz: a82121192d78b156c218bd53ecc27edf661f417c3deb028f999ae6dda7ee7b017db3af2113628e31d89c6446a4c0a4044b9cda309f2e73e9a1e59440a2e7b1a4
|
data/README.md
CHANGED
@@ -2,6 +2,7 @@
|
|
2
2
|
|
3
3
|
[![Build Status](https://secure.travis-ci.org/claudijd/ssh_scan.png)](http://travis-ci.org/claudijd/ssh_scan)
|
4
4
|
[![Code Climate](https://codeclimate.com/github/claudijd/ssh_scan.png)](https://codeclimate.com/github/claudijd/ssh_scan)
|
5
|
+
[![Gem Version](https://badge.fury.io/rb/ssh_scan.svg)](https://badge.fury.io/rb/ssh_scan)
|
5
6
|
|
6
7
|
A SSH configuration and policy scanner
|
7
8
|
|
@@ -34,10 +35,10 @@ gem install bindata
|
|
34
35
|
|
35
36
|
Run `ssh_scan -h` to get this
|
36
37
|
|
37
|
-
ssh_scan v0.0.
|
38
|
+
ssh_scan v0.0.6 (https://github.com/claudijd/ssh_scan)
|
38
39
|
|
39
40
|
Usage: ssh_scan [options]
|
40
|
-
-t, --target [IP]
|
41
|
+
-t, --target [IP/Hostname] IP/Hostname
|
41
42
|
-p, --port [PORT] Port (Default: 22)
|
42
43
|
-P, --policy [FILE] Policy file (Default: Mozilla Modern)
|
43
44
|
-h, --help Show this message
|
@@ -45,8 +46,9 @@ Run `ssh_scan -h` to get this
|
|
45
46
|
Examples:
|
46
47
|
|
47
48
|
ssh_scan -t 192.168.1.1
|
48
|
-
ssh_scan -t
|
49
|
-
ssh_scan -t
|
49
|
+
ssh_scan -t server.example.com
|
50
|
+
ssh_scan -t server.example.com -p 22222
|
51
|
+
ssh_scan -t server.example.com -P custom_policy.yml
|
50
52
|
|
51
53
|
See here for [example output](https://github.com/claudijd/ssh_scan/blob/master/examples/192.168.1.1.json)
|
52
54
|
|
data/bin/ssh_scan
CHANGED
@@ -10,14 +10,15 @@ require 'optparse'
|
|
10
10
|
options = {
|
11
11
|
:target => nil,
|
12
12
|
:port => 22,
|
13
|
-
:policy => File.expand_path("../../policies/mozilla_modern.yml", __FILE__)
|
13
|
+
:policy => File.expand_path("../../policies/mozilla_modern.yml", __FILE__),
|
14
|
+
:unit_test => false
|
14
15
|
}
|
15
16
|
opt_parser = OptionParser.new do |opts|
|
16
17
|
opts.banner = "ssh_scan v#{SSHScan::VERSION} (https://github.com/claudijd/ssh_scan)\n\n" +
|
17
18
|
"Usage: ssh_scan [options]"
|
18
19
|
|
19
|
-
opts.on("-t", "--target [IP]",
|
20
|
-
"IP") do |ip|
|
20
|
+
opts.on("-t", "--target [IP/Hostname]",
|
21
|
+
"IP/Hostname") do |ip|
|
21
22
|
options[:target] = ip
|
22
23
|
end
|
23
24
|
|
@@ -31,12 +32,26 @@ opt_parser = OptionParser.new do |opts|
|
|
31
32
|
options[:policy] = policy
|
32
33
|
end
|
33
34
|
|
35
|
+
opts.on("-u", "--unit-test [FILE]",
|
36
|
+
"Throw appropriate exit codes based on compliance status") do
|
37
|
+
options[:unit_test] = true
|
38
|
+
end
|
39
|
+
|
40
|
+
opts.on("-v", "--version",
|
41
|
+
"Display just version info") do
|
42
|
+
puts SSHScan::VERSION
|
43
|
+
exit
|
44
|
+
end
|
45
|
+
|
34
46
|
opts.on_tail("-h", "--help", "Show this message") do
|
35
47
|
puts opts
|
36
48
|
puts "\nExamples:"
|
37
49
|
puts "\n ssh_scan -t 192.168.1.1"
|
50
|
+
puts " ssh_scan -t server.example.com"
|
38
51
|
puts " ssh_scan -t 192.168.1.1 -p 22222"
|
39
52
|
puts " ssh_scan -t 192.168.1.1 -P custom_policy.yml"
|
53
|
+
puts " ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml"
|
54
|
+
puts ""
|
40
55
|
exit
|
41
56
|
end
|
42
57
|
end
|
@@ -49,6 +64,12 @@ if options[:target].nil?
|
|
49
64
|
exit
|
50
65
|
end
|
51
66
|
|
67
|
+
unless options[:target].ip_addr? || options[:target].fqdn?
|
68
|
+
puts opt_parser.help
|
69
|
+
puts "\nReason: #{options[:target]} is not a valid target"
|
70
|
+
exit
|
71
|
+
end
|
72
|
+
|
52
73
|
unless (0..65535).include?(options[:port])
|
53
74
|
puts opt_parser.help
|
54
75
|
puts "\nReason: port supplied is not within acceptable range"
|
@@ -61,10 +82,16 @@ unless File.exists?(options[:policy])
|
|
61
82
|
exit
|
62
83
|
end
|
63
84
|
|
64
|
-
|
85
|
+
options[:policy_file] = SSHScan::Policy.from_file(options[:policy])
|
65
86
|
|
66
87
|
# Perform scan and get results
|
67
88
|
scan_engine = SSHScan::ScanEngine.new()
|
68
|
-
result = scan_engine.scan(options
|
89
|
+
result = scan_engine.scan(options)
|
69
90
|
|
70
91
|
puts JSON.pretty_generate(result)
|
92
|
+
|
93
|
+
if result["compliance"] && result["compliance"][:compliant] == false
|
94
|
+
exit 1 #non-zero means a false
|
95
|
+
else
|
96
|
+
exit 0 #non-zero means pass
|
97
|
+
end
|
data/lib/ssh_scan/client.rb
CHANGED
@@ -4,8 +4,15 @@ require 'ssh_scan/protocol'
|
|
4
4
|
|
5
5
|
module SSHScan
|
6
6
|
class Client
|
7
|
-
def initialize(
|
8
|
-
@
|
7
|
+
def initialize(target, port)
|
8
|
+
@target = target
|
9
|
+
|
10
|
+
if @target.ip_addr?
|
11
|
+
@ip = @target
|
12
|
+
else
|
13
|
+
@ip = @target.resolve_fqdn()
|
14
|
+
end
|
15
|
+
|
9
16
|
@port = port
|
10
17
|
@client_protocol = SSHScan::Constants::DEFAULT_CLIENT_PROTOCOL
|
11
18
|
@server_protocol = nil
|
@@ -27,11 +34,12 @@ module SSHScan
|
|
27
34
|
kex_exchange_init = SSHScan::KeyExchangeInit.read(resp)
|
28
35
|
|
29
36
|
# Assemble and print results
|
30
|
-
result = {
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
37
|
+
result = {}
|
38
|
+
result[:ssh_scan_version] = SSHScan::VERSION
|
39
|
+
result[:hostname] = @target.fqdn? ? @target : ""
|
40
|
+
result[:ip] = @ip
|
41
|
+
result[:port] = @port
|
42
|
+
result[:server_banner] = @server_protocol
|
35
43
|
result.merge!(kex_exchange_init.to_hash)
|
36
44
|
|
37
45
|
return result
|
data/lib/ssh_scan/scan_engine.rb
CHANGED
@@ -4,9 +4,13 @@ require 'ssh_scan/client'
|
|
4
4
|
module SSHScan
|
5
5
|
class ScanEngine
|
6
6
|
|
7
|
-
def scan(
|
7
|
+
def scan(opts)
|
8
|
+
target = opts[:target]
|
9
|
+
port = opts[:port]
|
10
|
+
policy = opts[:policy_file]
|
11
|
+
|
8
12
|
# Connect and get results
|
9
|
-
client = SSHScan::Client.new(
|
13
|
+
client = SSHScan::Client.new(target, port)
|
10
14
|
client.connect()
|
11
15
|
result = client.get_kex_result()
|
12
16
|
|
data/lib/ssh_scan/version.rb
CHANGED
data/lib/string_ext.rb
CHANGED
@@ -1,6 +1,39 @@
|
|
1
|
+
require 'ipaddr'
|
2
|
+
|
1
3
|
# Extend string to include some helpful stuff
|
2
4
|
class String
|
3
5
|
def unhexify
|
4
6
|
[self].pack("H*")
|
5
7
|
end
|
8
|
+
|
9
|
+
def ip_addr?
|
10
|
+
begin
|
11
|
+
IPAddr.new(self)
|
12
|
+
|
13
|
+
# Using ArgumentError instead of IPAddr::InvalidAddressError for 1.9.3 backward compatability
|
14
|
+
rescue ArgumentError
|
15
|
+
return false
|
16
|
+
end
|
17
|
+
|
18
|
+
return true
|
19
|
+
end
|
20
|
+
|
21
|
+
def resolve_fqdn
|
22
|
+
@fqdn ||= TCPSocket.gethostbyname(self)[3]
|
23
|
+
end
|
24
|
+
|
25
|
+
def fqdn?
|
26
|
+
begin
|
27
|
+
resolve_fqdn
|
28
|
+
rescue SocketError
|
29
|
+
return false
|
30
|
+
end
|
31
|
+
|
32
|
+
if ip_addr?
|
33
|
+
return false
|
34
|
+
else
|
35
|
+
return true
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
6
39
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ssh_scan
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.7
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonathan Claudius
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-03-
|
11
|
+
date: 2016-03-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bindata
|