arthepsy/ssh-audit

feature-request : support options in any order

Opened this issue · 0 comments

noraj commented

warning : read the update section

related to #37

ssh-audit display the wrong banner instead of displaying the real one or saying he doesn't know this one:

ssh-audit x.x.x.x -p 2222                                                                                                            
# general                                                                                                                                              
(gen) banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6                                                                                                  
(gen) software: OpenSSH 7.2p2                                                                                                                          
(gen) compatibility: OpenSSH 7.2+, Dropbear SSH 2013.62+                                                                                               
(gen) compression: enabled (zlib@openssh.com)

But when doing ssh -v or sftp -v (because it is a sftp server) I can see: debug1: Remote protocol version 2.0, remote software version mod_sftp/0.9.9.

To be sure I used nmap:

nmap -Pn -p 2222 x.x.x.x -sVC                                                                         
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-28 11:06 CET
Nmap scan report for x.com (x.x.x.x)                                                                  
Host is up (0.023s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     ProFTPD mod_sftp 0.9.9 (protocol 2.0)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                        
Nmap done: 1 IP address (1 host up) scanned in 62.67 seconds

So:

  1. You need to display the real banner, the one grabbed not making an internal match or something and displying a wrong banner when the ssh provider is not known from ssh-audit because it can lead to severe mistakes.
  2. As #37 said, adding mod_sftp support (module sftp support in ProFTPD).

Update Also a real SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6 is running on port 22 so I suspect that ssh-audit is ignoring the option for port 2222.

ssh-audit/ssh-audit.py

Lines 155 to 185 in 22b671e

elif o in ('-p', '--port'):
oport = a
elif o in ('-b', '--batch'):
aconf.batch = True
aconf.verbose = True
elif o in ('-n', '--no-colors'):
aconf.colors = False
elif o in ('-v', '--verbose'):
aconf.verbose = True
elif o in ('-l', '--level'):
if a not in ('info', 'warn', 'fail'):
usage_cb('level {0} is not valid'.format(a))
aconf.minlevel = a
if len(args) == 0:
usage_cb()
if oport is not None:
host = args[0]
port = utils.parse_int(oport)
else:
s = args[0].split(':')
host = s[0].strip()
if len(s) == 2:
oport, port = s[1], utils.parse_int(s[1])
else:
oport, port = '22', 22
if not host:
usage_cb('host is empty')
if port <= 0 or port > 65535:
usage_cb('port {0} is not valid'.format(oport))
aconf.host = host
aconf.port = port

==> this is it, if I put ssh-audit -p 2222 x.x.x.x instead of ssh-audit x.x.x.x -p 2222 i have the good banner:

(gen) banner: SSH-2.0-mod_sftp/0.9.9                                                                                                                   
(gen) compatibility: OpenSSH 5.9-6.6, Dropbear SSH 2013.62+ (some functionality from 0.52)                                                             
(gen) compression: enabled (zlib@openssh.com, zlib)

So I suggest to support options in any order even after the host like nmap and many other tools are doing.