ssh_scan 0.0.7 → 0.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 523f33ca35c02c11f2a59a1cab89e06cc6dbed10
-  data.tar.gz: e94e1d5cfb9df79e4e32e09e34d7e2670bafe223
+  metadata.gz: 1a02e7aa137511342eb655ddb1040cfbe8f39e47
+  data.tar.gz: 0db6be22ce2c16b3d389c742142f97b1288c422f
 SHA512:
-  metadata.gz: 499ca37ef4d13b353074a9ee3ea03484c87f1f633a8e4b02b93f4014f5b9be2cf4700ff0b28ab2b101e2ab491bdb7a85672379bb691b98b20d388be41ab38d33
-  data.tar.gz: a82121192d78b156c218bd53ecc27edf661f417c3deb028f999ae6dda7ee7b017db3af2113628e31d89c6446a4c0a4044b9cda309f2e73e9a1e59440a2e7b1a4
+  metadata.gz: 298a42ca4f082a1c733e30189988506b3b99d0e08aeb406daee23047242a5e4e73dd44e0845fd36ae13b3a67b59c0db6fe35b41840a08e7931833beba90c9ed6
+  data.tar.gz: abb0db799fe454f328e7043f9479427e09fc76360992401f4cf90e0b9db5068589cd14569d2921c56930520497a02171945bbcc08940ef1e46a837c1717072c1

data/.travis.yml

@@ -3,7 +3,4 @@ rvm:
   - 2.1.3
   - 2.1.0
   - 2.0.0
-  - 1.9.3
-  - jruby-19mode
   - ruby-head
-  - jruby-head

data/README.md

@@ -1,7 +1,7 @@
 # ssh_scan
 
-[![Build Status](https://secure.travis-ci.org/claudijd/ssh_scan.png)](http://travis-ci.org/claudijd/ssh_scan)
-[![Code Climate](https://codeclimate.com/github/claudijd/ssh_scan.png)](https://codeclimate.com/github/claudijd/ssh_scan)
+[![Build Status](https://secure.travis-ci.org/mozilla/ssh_scan.png)](http://travis-ci.org/mozilla/ssh_scan)
+[![Code Climate](https://codeclimate.com/github/mozilla/ssh_scan.png)](https://codeclimate.com/github/mozilla/ssh_scan)
 [![Gem Version](https://badge.fury.io/rb/ssh_scan.svg)](https://badge.fury.io/rb/ssh_scan)
 
 A SSH configuration and policy scanner
@@ -25,7 +25,7 @@ ssh_scan
 To install from source, type
 
 ```bash
-git clone https://github.com/claudijd/ssh_scan.git
+git clone https://github.com/mozilla/ssh_scan.git
 cd ssh_scan
 gem install bindata
 ./bin/ssh_scan
@@ -35,24 +35,30 @@ gem install bindata
 
 Run `ssh_scan -h` to get this
 
-    ssh_scan v0.0.6 (https://github.com/claudijd/ssh_scan)
+    ssh_scan v0.0.8 (https://github.com/mozilla/ssh_scan)
 
     Usage: ssh_scan [options]
-        -t, --target [IP/Hostname]       IP/Hostname
+        -t, --target [IP/Hostname]       IP/Hostname (IPv4/IPv6/FQDNs)
         -p, --port [PORT]                Port (Default: 22)
         -P, --policy [FILE]              Policy file (Default: Mozilla Modern)
+        -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
+        -v, --version                    Display just version info
         -h, --help                       Show this message
 
     Examples:
 
       ssh_scan -t 192.168.1.1
       ssh_scan -t server.example.com
-      ssh_scan -t server.example.com -p 22222
-      ssh_scan -t server.example.com -P custom_policy.yml
+      ssh_scan -t ::1
+      ssh_scan -t 192.168.1.1 -p 22222
+      ssh_scan -t 192.168.1.1 -P custom_policy.yml
+      ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
 
-See here for [example output](https://github.com/claudijd/ssh_scan/blob/master/examples/192.168.1.1.json)
+See here for [example video](https://asciinema.org/a/7pliiw5zqhj7eqvz7q437u6vx)
 
-See here for [example policies](https://github.com/claudijd/ssh_scan/blob/master/policies)
+See here for [example output](https://github.com/mozilla/ssh_scan/blob/master/examples/192.168.1.1.json)
+
+See here for [example policies](https://github.com/mozilla/ssh_scan/blob/master/policies)
 
 ## Rubies Supported
 
@@ -66,11 +72,11 @@ This project is integrated with [travis-ci](http://about.travis-ci.org/) and is
 * [jruby-head](http://jruby.org/)
 * [jruby-19mode](http://jruby.org/)
 
-To checkout the current build status for these rubies, click [here](https://travis-ci.org/#!/claudijd/ssh_scan).
+To checkout the current build status for these rubies, click [here](https://travis-ci.org/#!/mozilla/ssh_scan).
 
 ## Contributing
 
-If you are interested in contributing to this project, please see [CONTRIBUTING.md](https://github.com/claudijd/ssh_scan/blob/master/CONTRIBUTING.md)
+If you are interested in contributing to this project, please see [CONTRIBUTING.md](https://github.com/mozilla/ssh_scan/blob/master/CONTRIBUTING.md)
 
 ## Credits
 

data/bin/ssh_scan

@@ -14,11 +14,11 @@ options = {
   :unit_test => false
 }
 opt_parser = OptionParser.new do |opts|
-  opts.banner = "ssh_scan v#{SSHScan::VERSION} (https://github.com/claudijd/ssh_scan)\n\n" +
+  opts.banner = "ssh_scan v#{SSHScan::VERSION} (https://github.com/mozilla/ssh_scan)\n\n" +
                 "Usage: ssh_scan [options]"
 
   opts.on("-t", "--target [IP/Hostname]",
-          "IP/Hostname") do |ip|
+          "IP/Hostname (IPv4/IPv6/FQDNs)") do |ip|
     options[:target] = ip
   end
 
@@ -48,6 +48,7 @@ opt_parser = OptionParser.new do |opts|
     puts "\nExamples:"
     puts "\n  ssh_scan -t 192.168.1.1"
     puts "  ssh_scan -t server.example.com"
+    puts "  ssh_scan -t ::1"
     puts "  ssh_scan -t 192.168.1.1 -p 22222"
     puts "  ssh_scan -t 192.168.1.1 -P custom_policy.yml"
     puts "  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml"

data/lib/ssh_scan/banner.rb

@@ -0,0 +1,56 @@
+require 'ssh_scan/os'
+require 'ssh_scan/ssh_lib'
+
+module SSHScan
+  class Banner
+    def initialize(string)
+      @string = string
+    end
+
+    def self.read(string)
+      return SSHScan::Banner.new(string.chomp)
+    end
+
+    def ssh_version()
+      if version = @string.match(/SSH-(\d+[\.\d+]+)/)[1]
+        return version.to_f
+      else
+        return "unknown"
+      end
+    end
+
+    def ssh_lib_guess()
+      case @string
+      when /OpenSSH/i
+        return SSHScan::SSHLib::OpenSSH.new()
+      when /LibSSH/i
+        return SSHScan::SSHLib::LibSSH.new()
+      else
+        return SSHScan::SSHLib::Unknown.new()
+      end
+    end
+
+    def os_guess()
+      case @string
+      when /Ubuntu/i
+        return SSHScan::OS::Ubuntu.new
+      when /CentOS/i
+        return SSHScan::OS::CentOS.new
+      when /FreeBSD/i
+        return SSHScan::OS::FreeBSD.new
+      when /Debian/i
+        return SSHScan::OS::Debian.new
+      else
+        return SSHScan::OS::Unknown.new
+      end
+    end
+
+    def ==(other)
+      self.to_s == other.to_s
+    end
+
+    def to_s
+      @string
+    end
+  end
+end

data/lib/ssh_scan/client.rb

@@ -1,6 +1,7 @@
 require 'socket'
 require 'ssh_scan/constants'
 require 'ssh_scan/protocol'
+require 'ssh_scan/banner'
 
 module SSHScan
   class Client
@@ -14,15 +15,16 @@ module SSHScan
       end
 
       @port = port
-      @client_protocol = SSHScan::Constants::DEFAULT_CLIENT_PROTOCOL
-      @server_protocol = nil
+      @client_banner = SSHScan::Constants::DEFAULT_CLIENT_BANNER
+      @server_banner = nil
       @kex_init_raw = SSHScan::Constants::DEFAULT_KEY_INIT_RAW
     end
 
     def connect()
       @sock = TCPSocket.new(@ip, @port)
-      @server_protocol = @sock.gets.chomp
-      @sock.puts(@client_protocol)
+      @raw_server_banner = @sock.gets.chomp
+      @server_banner = SSHScan::Banner.read(@raw_server_banner)
+      @sock.puts(@client_banner.to_s)
     end
 
     def get_kex_result(kex_init_raw = @kex_init_raw)
@@ -39,7 +41,12 @@ module SSHScan
       result[:hostname] = @target.fqdn? ? @target : ""
       result[:ip] = @ip
       result[:port] = @port
-      result[:server_banner] = @server_protocol
+      result[:server_banner] = @server_banner
+      result[:ssh_version] = @server_banner.ssh_version
+      result[:os] = @server_banner.os_guess.common
+      result[:os_cpe] = @server_banner.os_guess.cpe
+      result[:ssh_lib] = @server_banner.ssh_lib_guess.common
+      result[:ssh_lib_cpe] = @server_banner.ssh_lib_guess.cpe
       result.merge!(kex_exchange_init.to_hash)
 
       return result

data/lib/ssh_scan/constants.rb

@@ -1,9 +1,10 @@
 require 'string_ext'
+require 'ssh_scan/banner'
 
 module SSHScan
   module Constants
-    DEFAULT_CLIENT_PROTOCOL = "SSH-2.0-client"
-    DEFAULT_SERVER_PROTOCOL = "SSH-2.0-server"
+    DEFAULT_CLIENT_BANNER = SSHScan::Banner.new("SSH-2.0-ssh_scan")
+    DEFAULT_SERVER_BANNER = SSHScan::Banner.new("SSH-2.0-server")
     DEFAULT_KEY_INIT_RAW = ("d8eb97b11b6cacbc3285473f08004500019ceccf40004006663fc0a80a7c3ff" +
                             "5db33cdfd0016982e6062988da97e801810154d2b00000101080a03a6399f3d" +
                             "f735d6000001640414e33f813f8cdcc6b00a3d852ec1aea4980000001a64696" +

data/lib/ssh_scan/os/centos.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class CentOS
+      def common
+        "centos"
+      end
+
+      def cpe
+        "o:centos:centos"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os/debian.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class Debian
+      def common
+        "debian"
+      end
+
+      def cpe
+        "o:debian:debian"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os/freebsd.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class FreeBSD
+      def common
+        "freebsd"
+      end
+
+      def cpe
+        "o:freebsd:freebsd"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os/ubuntu.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class Ubuntu
+      def common
+        "ubuntu"
+      end
+
+      def cpe
+        "o:canonical:freebsd"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os/unknown.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module OS
+    class Unknown
+      def common
+        "unknown"
+      end
+
+      def cpe
+        "o:unknown"
+      end
+    end
+  end
+end

data/lib/ssh_scan/os.rb

@@ -0,0 +1,5 @@
+require 'ssh_scan/os/centos'
+require 'ssh_scan/os/debian'
+require 'ssh_scan/os/freebsd'
+require 'ssh_scan/os/ubuntu'
+require 'ssh_scan/os/unknown'

data/lib/ssh_scan/scan_engine.rb

@@ -1,5 +1,6 @@
 require 'socket'
 require 'ssh_scan/client'
+require 'net/ssh'
 
 module SSHScan
   class ScanEngine
@@ -9,11 +10,39 @@ module SSHScan
       port = opts[:port]
       policy = opts[:policy_file]
 
-      # Connect and get results
+      # Connect and get results (native)
       client = SSHScan::Client.new(target, port)
       client.connect()
       result = client.get_kex_result()
 
+      # Connect and get results (Net-SSH)
+      net_ssh_session = Net::SSH::Transport::Session.new(target)
+      auth_session = Net::SSH::Authentication::Session.new(net_ssh_session, :auth_methods => ["none"])
+      auth_session.authenticate("none", "test", "test")
+      result['auth_methods'] = auth_session.allowed_auth_methods
+      host_key = net_ssh_session.host_keys.first
+      net_ssh_session.close
+
+      # only supporting RSA for the moment
+      unless OpenSSL::PKey::RSA
+        raise "Unknown host key type, need to add this host_key type"
+      end
+
+      data_string = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer.new(host_key.public_key.n),
+        OpenSSL::ASN1::Integer.new(host_key.public_key.e)
+      ])
+
+      fingerprint_md5 = OpenSSL::Digest::MD5.hexdigest(data_string.to_der).scan(/../).join(':')
+      fingerprint_sha1 = OpenSSL::Digest::SHA1.hexdigest(data_string.to_der).scan(/../).join(':')
+      fingerprint_sha256 = OpenSSL::Digest::SHA256.hexdigest(data_string.to_der).scan(/../).join(':')
+
+      result['fingerprints'] = {
+        "md5" => fingerprint_md5,
+        "sha1" => fingerprint_sha1,
+        "sha256" => fingerprint_sha256,
+      }
+
       # If policy defined, then add compliance results
       unless policy.nil?
         policy_mgr = SSHScan::PolicyManager.new(result, policy)

data/lib/ssh_scan/ssh_lib/libssh.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module SSHLib
+    class LibSSH
+      def common
+        "libssh"
+      end
+
+      def cpe
+        "a:libssh:libssh"
+      end
+    end
+  end
+end

data/lib/ssh_scan/ssh_lib/openssh.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module SSHLib
+    class OpenSSH
+      def common
+        "openssh"
+      end
+
+      def cpe
+        "a:openssh:openssh"
+      end
+    end
+  end
+end

data/lib/ssh_scan/ssh_lib/unknown.rb

@@ -0,0 +1,13 @@
+module SSHScan
+  module SSHLib
+    class Unknown
+      def common
+        "unknown"
+      end
+
+      def cpe
+        "a:unknown"
+      end
+    end
+  end
+end

data/lib/ssh_scan/ssh_lib.rb

@@ -0,0 +1,3 @@
+require 'ssh_scan/ssh_lib/openssh'
+require 'ssh_scan/ssh_lib/libssh'
+require 'ssh_scan/ssh_lib/unknown'

data/lib/ssh_scan/version.rb

@@ -1,3 +1,3 @@
 module SSHScan
-  VERSION = '0.0.7'
+  VERSION = '0.0.8'
 end

data/ssh_scan.gemspec

@@ -27,6 +27,7 @@ Gem::Specification.new do |s|
   s.homepage = 'http://rubygems.org/gems/ssh_scan'
 
   s.add_dependency('bindata', '~> 2.0')
+  s.add_dependency('net-ssh')
   s.add_development_dependency('pry')
   s.add_development_dependency('rspec', '~> 3.0')
   s.add_development_dependency('rspec-its', '~> 1.2')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssh_scan
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.8
 platform: ruby
 authors:
 - Jonathan Claudius
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-04 00:00:00.000000000 Z
+date: 2016-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -96,13 +110,24 @@ files:
 - Rakefile
 - bin/ssh_scan
 - lib/ssh_scan.rb
+- lib/ssh_scan/banner.rb
 - lib/ssh_scan/basic_server.rb
 - lib/ssh_scan/client.rb
 - lib/ssh_scan/constants.rb
+- lib/ssh_scan/os.rb
+- lib/ssh_scan/os/centos.rb
+- lib/ssh_scan/os/debian.rb
+- lib/ssh_scan/os/freebsd.rb
+- lib/ssh_scan/os/ubuntu.rb
+- lib/ssh_scan/os/unknown.rb
 - lib/ssh_scan/policy.rb
 - lib/ssh_scan/policy_manager.rb
 - lib/ssh_scan/protocol.rb
 - lib/ssh_scan/scan_engine.rb
+- lib/ssh_scan/ssh_lib.rb
+- lib/ssh_scan/ssh_lib/libssh.rb
+- lib/ssh_scan/ssh_lib/openssh.rb
+- lib/ssh_scan/ssh_lib/unknown.rb
 - lib/ssh_scan/version.rb
 - lib/string_ext.rb
 - policies/mozilla_intermediate.yml
@@ -128,7 +153,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.6.2
 signing_key: 
 specification_version: 4
 summary: Ruby-based SSH Scanner