ssh-audit is a tool for ssh server & client configuration auditing.

Overview

ssh-audit

License PyPI Downloads Docker Pulls Build Status PRs Welcome

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • output security information (related issues, assigned CVE list, etc);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • policy scans to ensure adherence to a hardened/standard configuration;
  • runs on Linux and Windows;
  • supports Python 3.6 - 3.9;
  • no dependencies

Usage

run a policy test using the specified policy -t, --timeout= timeout (in seconds) for connection and reading (default: 5) -T, --targets= a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads= number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output ">
usage: ssh-audit.py [options] 
      
       

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -d,  --debug            Enable debug output.
   -j,  --json             JSON output (use -jj to enable indents)
   -l,  --level=
       
            minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
        --lookup=
        
             looks up an algorithm(s) without
                                    connecting to a server
   -m,  --manual           print the man page (Windows only)
   -M,  --make-policy=
         
            creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=
          
            port to connect -P, --policy=<"policy name" | policy.txt> run a policy test using the specified policy -t, --timeout=
           
             timeout (in seconds) for connection and reading (default: 5) -T, --targets=
            
              a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads=
             
               number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output 
             
            
           
          
         
        
       
      
  • if both IPv4 and IPv6 are used, order of precedence can be set by using either -46 or -64.
  • batch flag -b will output sections without header and without empty lines (implies verbose flag).
  • verbose flag -v will prefix each line with section type and algorithm name.
  • an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 anything@localhost):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting policy names with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver

To run a policy audit against a client:

ssh-audit -c -P ["policy name" | path/to/client_policy.txt]

To run a policy audit against many servers:

ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]

To create a policy based on a target server (which can be manually edited):

ssh-audit -M new_policy.txt targetserver

Screenshots

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service: screenshot

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use -L/--list-policies to see names of built-in policies to use with -P/--policy): screenshot

After applying the steps in the hardening guide (see below), the output changes to the following: screenshot

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects: client_screenshot

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the releases page), PyPI, Snap, and Docker.

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install from Dockerhub:

$ docker pull positronsecurity/ssh-audit

(Then run with: docker run -it -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1)

Web Front-End

For convenience, a web front-end on top of the command-line tool is available at https://www.ssh-audit.com/.

ChangeLog

v2.6.0-dev

  • Snap packages now print more user-friendly error messages when permission errors are encountered.
  • JSON 'target' field now always includes port number; credit tomatohater1337.
  • Added 24 new key exchanges: ecdh-sha2-1.3.132.0.1, ecdh-sha2-1.2.840.10045.3.1.1, ecdh-sha2-1.3.132.0.33, ecdh-sha2-1.3.132.0.26, ecdh-sha2-1.3.132.0.27, ecdh-sha2-1.2.840.10045.3.1.7, ecdh-sha2-1.3.132.0.16, ecdh-sha2-1.3.132.0.34, ecdh-sha2-1.3.132.0.36, ecdh-sha2-1.3.132.0.37, ecdh-sha2-1.3.132.0.35, ecdh-sha2-1.3.132.0.38, ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==, ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==, ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==, ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==, ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==, ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==, ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==, ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==, ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==, ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==, ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==, ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==.

v2.5.0 (2021-08-26)

  • Fixed crash when running host key tests.
  • Handles server connection failures more gracefully.
  • Now prints JSON with indents when -jj is used (useful for debugging).
  • Added MD5 fingerprints to verbose output.
  • Added -d/--debug option for getting debugging output; credit Adam Russell.
  • Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the 'fingerprints' dictionary format.
  • Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256.
  • Added OpenSSH v8.6 & v8.7 policies.
  • Added 3 new key exchanges: gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==, and gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==.
  • Added 3 new MACs: hmac-ripemd160-96, AEAD_AES_128_GCM, and AEAD_AES_256_GCM.

v2.4.0 (2021-02-23)

  • Added multi-threaded scanning support.
  • Added built-in Windows manual page (see -m/--manual); credit Adam Russell.
  • Added version check for OpenSSH user enumeration (CVE-2018-15473).
  • Added deprecation note to host key types based on SHA-1.
  • Added extra warnings for SSHv1.
  • Added built-in hardened OpenSSH v8.5 policy.
  • Upgraded warnings to failures for host key types based on SHA-1.
  • Fixed crash when receiving unexpected response during host key test.
  • Fixed hang against older Cisco devices during host key test & gex test.
  • Fixed improper termination while scanning multiple targets when one target returns an error.
  • Dropped support for Python 3.5 (which reached EOL in Sept. 2020).
  • Added 1 new key exchange: [email protected].

v2.3.1 (2020-10-28)

  • Now parses public key sizes for [email protected] and [email protected] host key types.
  • Flag [email protected] as a failure due to SHA-1 hash.
  • Fixed bug in recommendation output which suppressed some algorithms inappropriately.
  • Built-in policies now include CA key requirements (if certificates are in use).
  • Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms; credit Adam Russell.
  • Migrated pre-made policies from external files to internal database.
  • Split single 3,500 line script into many files (by class).
  • Added setup.py support; credit Ganden Schaffner.
  • Added 1 new cipher: [email protected].

v2.3.0 (2020-09-27)

  • Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy). For an in-depth tutorial, see https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/.
  • Created new man page (see ssh-audit.1 file).
  • 1024-bit moduli upgraded from warnings to failures.
  • Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit Jürgen Gmach.
  • Added feature to look up algorithms in internal database (see --lookup); credit Adam Russell.
  • Suppress recommendation of token host key types.
  • Added check for use-after-free vulnerability in PuTTY v0.73.
  • Added 11 new host key types: ssh-rsa1, [email protected], ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256.
  • Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-.
  • Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, [email protected], [email protected].
  • Added 3 new MACs: [email protected], hmac-sha3-224, [email protected].

v2.2.0 (2020-03-11)

v2.1.1 (2019-11-26)

  • Added 2 new host key types: [email protected], [email protected].
  • Added 2 new ciphers: des, 3des.
  • Added 3 new PuTTY vulnerabilities.
  • During client testing, client IP address is now listed in output.

v2.1.0 (2019-11-14)

  • Added client software auditing functionality (see -c / --client-audit option).
  • Added JSON output option (see -j / --json option; credit Andreas Jaggi).
  • Fixed crash while scanning Solaris Sun_SSH.
  • Added 9 new key exchanges: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha1-, gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==, gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==, diffie-hellman-group15-sha256, ecdh-sha2-1.3.132.0.10, curve448-sha512.
  • Added 1 new host key type: ecdsa-sha2-1.3.132.0.10.
  • Added 4 new ciphers: idea-cbc, serpent128-cbc, serpent192-cbc, serpent256-cbc.
  • Added 6 new MACs: [email protected], [email protected], hmac-ripemd, [email protected], [email protected], [email protected].

v2.0.0 (2019-08-29)

  • Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
  • Added RSA host key length test.
  • Added RSA certificate key length test.
  • Added Diffie-Hellman modulus size test.
  • Now outputs host key fingerprints for RSA and ED25519.
  • Added 5 new key exchanges: [email protected], [email protected], [email protected], diffie-hellman-group16-sha256, diffie-hellman-group17-sha512.
  • Added 3 new encryption algorithms: des-cbc-ssh1, blowfish-ctr, twofish-ctr.
  • Added 10 new MACs: hmac-sha2-56, hmac-sha2-224, hmac-sha2-384, hmac-sha3-256, hmac-sha3-384, hmac-sha3-512, hmac-sha256, [email protected], hmac-sha512, [email protected].
  • Added command line argument (-t / --timeout) for connection & reading timeouts.
  • Updated CVEs for libssh & Dropbear.

v1.7.0 (2016-10-26)

  • implement options to allow specify IPv4/IPv6 usage and order of precedence
  • implement option to specify remote port (old behavior kept for compatibility)
  • add colors support for Microsoft Windows via optional colorama dependency
  • fix encoding and decoding issues, add tests, do not crash on encoding errors
  • use mypy-lang for static type checking and verify all code

v1.6.0 (2016-10-14)

  • implement algorithm recommendations section (based on recognized software)
  • implement full libssh support (version history, algorithms, security, etc)
  • fix SSH-1.99 banner recognition and version comparison functionality
  • do not output empty algorithms (happens for misconfigured servers)
  • make consistent output for Python 3.x versions
  • add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
  • use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)

v1.5.0 (2016-09-20)

  • create security section for related security information
  • match and output assigned CVE list and security issues for Dropbear SSH
  • implement full SSH1 support with fingerprint information
  • automatically fallback to SSH1 on protocol mismatch
  • add new options to force SSH1 or SSH2 (both allowed by default)
  • parse banner information and convert it to specific software and OS version
  • do not use padding in batch mode
  • several fixes (Cisco sshd, rare hangs, error handling, etc)

v1.0.20160902

  • implement batch output option
  • implement minimum output level option
  • fix compatibility with Python 2.6

v1.0.20160812

  • implement SSH version compatibility feature
  • fix wrong mac algorithm warning
  • fix Dropbear SSH version typo
  • parse pre-banner header
  • better errors handling

v1.0.20160803

  • use OpenSSH 7.3 banner
  • add new key-exchange algorithms

v1.0.20160207

  • use OpenSSH 7.2 banner
  • additional warnings for OpenSSH 7.2
  • fix OpenSSH 7.0 failure messages
  • add rijndael-cbc failure message from OpenSSH 6.7

v1.0.20160105

  • multiple additional warnings
  • support for none algorithm
  • better compression handling
  • ensure reading enough data (fixes few Linux SSH)

v1.0.20151230

  • Dropbear SSH support

v1.0.20151223

  • initial version
Comments
  • Man Page on Windows

    Man Page on Windows

    I'm contemplating whether it would be possible make the man page available in Windows.

    This is not a complete solution, these are just my initial thoughts exploring what would be required and how we might go about doing it... Any thoughts, feedback or suggestions would be welcome...

    Converting the man page to a readable format for the Windows console

    Since Windows doesn't have a manual reader, the man page would need to be converted to a format that can be rendered in the Windows console. This would have to be performed as part of the build process when there's a new release.

    One option would be to simply convert it to plain text output. This conversion can be achieved as follows:

    MANWIDTH=80 man ./ssh-audit.1 > ssh_audit_windows_man.txt
    

    In Windows 10, the console is capable of interpreting ANSI escape sequences (also known as VT escape sequences). So another option would be to convert the man page to ANSI escape sequence formatted output, this would preserve any typographical emphasis that's present in the original man page, such as bold and underlined text. This conversion can be achieved as follows:

    # * man outputs a backspace-overwrite sequence rather than an ANSI escape 
    #   sequence.
    # * 'MAN_KEEP_FORMATTING' preserves the backspace-overwrite sequence when 
    #   redirected to a file or a pipe.
    # * The 'ul' command converts the backspace-overwrite sequence to an ANSI escape 
    #   sequence.
    
    MANWIDTH=80 MAN_KEEP_FORMATTING=1 man ./ssh-audit.1 | ul > ssh_audit_windows_man.txt
    

    Example of an ANSI escape sequence formatted man page on Windows 10

    import os
    os.system("color")
    
    f = open('c:\\bitbucket\\ssh_audit_windows_man.txt', encoding="utf-8")
    file_contents = f.read()
    print (file_contents)
    f.close()
    

    man-page-on-windows

    Displaying the man page

    Displaying the man page could perhaps be invoked using a command line parameter such as:

    ssh-audit.exe --manual
    

    Packaging the converted man page

    Currently the Windows package is a standalone executable with no external dependencies. Ideally any solution that's adopted would preserve this.

    Does anyone know of a way that the man page (in its converted format) could be embedded into the ssh-audit executable without having to ship an external text file?

    opened by thecliguy 35
  • Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    I've encountered an SSH server where the Diffie-Hellman group size used by the key exchange algorithm diffie-hellman-group-exchange-sha256 is hardcoded and cannot be seen or configured by an administrator.

    My plan was to use ssh-audit to scan the server and find out more information about the supported group size(s) but then I realised that ssh-audit only returns the minimum value.

    I studied RFC 4419 which explains how the client requests a modulus from the server by specifying a minimum, a preferred and a maximum value (expressed in bits). The send_init_gex function in ssh-audit has been implemented as per the explanation in RFC 4419, it accepts minbits, prefbits and maxbits.

    I was able to modify gextest.py to invoke send_init_gex with minbits, prefbits and maxbits of the same value from 0 to 8192. This gave me the answer I was looking for, it showed that the server was configured with group sizes of 1024, 2048, 3072, 4096 and 6144. Using this information I can now contact the manufacturer of the SSH server software and ask if they will consider removing 1024.

    @jtesta What do you think about about adding group size enumeration as a feature to ssh-audit? I could submit my patch as a draft for you to review?

    Enumerating every value from 0 to 8192 is a slow process because it has to make a new connection to the target server each time. In my case this was not a problem because I ran the patched version of ssh-audit on the SSH server itself. However, if someone were to attempt this over a network it may cause a firewall's rate control to be triggered resulting in requests being blocked. So we'd probably need to mention this as a potential caveat in the documentation.

    opened by thecliguy 26
  • Show MD5 Hash of Fingerprint in Verbose Output

    Show MD5 Hash of Fingerprint in Verbose Output

    When when verifying host keys, PuTTY, plink and psftp use an md5 hash rather than a sha256 hash.

    plink 0.74 - Example Output (click to expand):

    C:\sandbox>plink.exe -v scanme.nmap.org
    Looking up host "scanme.nmap.org" for SSH connection
    Connecting to 45.33.32.156 port 22
    We claim version: SSH-2.0-PuTTY_Release_0.74
    Remote version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
    We believe remote version has SSH-2 channel request bug
    Using SSH protocol version 2
    No GSSAPI security context available
    Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
    Server also has ecdsa-sha2-nistp256/ssh-dss/ssh-rsa host keys, but we don't know any of them
    Host key fingerprint is:
    ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
    The server's host key is not cached in the registry. You
    have no guarantee that the server is the computer you
    think it is.
    The server's ssh-ed25519 key fingerprint is:
    ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
    If you trust this host, enter "y" to add the key to
    PuTTY's cache and carry on connecting.
    If you want to carry on connecting just once, without
    adding the key to the cache, enter "n".
    If you do not trust this host, press Return to abandon the
    connection.
    Store key in cache? (y/n) 
    

    Currently ssh-audit only shows fingerprints in the form of a sha256 hash. Do you have any objection to also showing the md5 hash if the verbose (-v/--verbose) parameter has been provided?

    I've built a proof-of-concept that I can share.

    By the way, the Fingerprint class is already capable of producing an md5 hash, it's just not currently used: https://github.com/jtesta/ssh-audit/blob/2f1a2a60b153509612a450173041fb698177dc45/src/ssh_audit/fingerprint.py#L33-L37

    opened by thecliguy 14
  • client audit vs client hardening guide

    client audit vs client hardening guide

    Hi @jtesta

    I just discovered the client hardening mode.

    I run Ubuntu 18.04 on my laptop.

    I applied the changes from your hardening guide

    https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_linux_mint_19

    and then I started the client audit via python3.8 ssh-audit.py -c and then on a second terminal, I sshed into localhost port 2222.

    Expected I expected all output to be green.

    what I got

    # general
    (gen) client IP: 127.0.0.1
    (gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
    (gen) software: OpenSSH 7.6p1
    (gen) compression: enabled ([email protected], zlib)
    
    # key exchange algorithms
    (kex) curve25519-sha256                         -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
    (kex) [email protected]              -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp256                        -- [fail] using weak elliptic curves
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp384                        -- [fail] using weak elliptic curves
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp521                        -- [fail] using weak elliptic curves
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) diffie-hellman-group-exchange-sha256      -- [info] available since OpenSSH 4.4
    (kex) diffie-hellman-group16-sha512             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    (kex) diffie-hellman-group18-sha512             -- [info] available since OpenSSH 7.3
    (kex) diffie-hellman-group-exchange-sha1        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                                    `- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 2.3.0
    (kex) diffie-hellman-group14-sha256             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    (kex) diffie-hellman-group14-sha1               -- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
    (kex) ext-info-c
    
    # host-key algorithms
    (key) [email protected]  -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7
    (key) [email protected]  -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7
    (key) [email protected]  -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7
    (key) [email protected]          -- [info] available since OpenSSH 6.5
    (key) [email protected]              -- [info] available since OpenSSH 5.6
    (key) ecdsa-sha2-nistp256                       -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ecdsa-sha2-nistp384                       -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ecdsa-sha2-nistp521                       -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ssh-ed25519                               -- [info] available since OpenSSH 6.5
    (key) rsa-sha2-512                              -- [info] available since OpenSSH 7.2
    (key) rsa-sha2-256                              -- [info] available since OpenSSH 7.2
    (key) ssh-rsa                                   -- [fail] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
    
    # encryption algorithms (ciphers)
    (enc) [email protected]             -- [info] available since OpenSSH 6.5
                                                    `- [info] default cipher since OpenSSH 6.9.
    (enc) aes128-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    (enc) aes192-ctr                                -- [info] available since OpenSSH 3.7
    (enc) aes256-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    (enc) [email protected]                    -- [info] available since OpenSSH 6.2
    (enc) [email protected]                    -- [info] available since OpenSSH 6.2
    
    # message authentication code algorithms
    (mac) [email protected]                   -- [warn] using small 64-bit tag size
                                                    `- [info] available since OpenSSH 6.2
    (mac) [email protected]                  -- [info] available since OpenSSH 6.2
    (mac) [email protected]             -- [info] available since OpenSSH 6.2
    (mac) [email protected]             -- [info] available since OpenSSH 6.2
    (mac) [email protected]                 -- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 6.2
    (mac) [email protected]                       -- [warn] using encrypt-and-MAC mode
                                                    `- [warn] using small 64-bit tag size
                                                    `- [info] available since OpenSSH 4.7
    (mac) [email protected]                      -- [warn] using encrypt-and-MAC mode
                                                    `- [info] available since OpenSSH 6.2
    (mac) hmac-sha2-256                             -- [warn] using encrypt-and-MAC mode
                                                    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha2-512                             -- [warn] using encrypt-and-MAC mode
                                                    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha1                                 -- [warn] using encrypt-and-MAC mode
                                                    `- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
    
    # algorithm recommendations (for OpenSSH 7.6)
    (rec) -diffie-hellman-group-exchange-sha1       -- kex algorithm to remove 
    (rec) -ecdh-sha2-nistp256                       -- kex algorithm to remove 
    (rec) -ecdh-sha2-nistp384                       -- kex algorithm to remove 
    (rec) -ecdh-sha2-nistp521                       -- kex algorithm to remove 
    (rec) -ecdsa-sha2-nistp256                      -- key algorithm to remove 
    (rec) [email protected] -- key algorithm to remove 
    (rec) -ecdsa-sha2-nistp384                      -- key algorithm to remove 
    (rec) [email protected] -- key algorithm to remove 
    (rec) -ecdsa-sha2-nistp521                      -- key algorithm to remove 
    (rec) [email protected] -- key algorithm to remove 
    (rec) -ssh-rsa                                  -- key algorithm to remove 
    (rec) -diffie-hellman-group14-sha1              -- kex algorithm to remove 
    (rec) -hmac-sha1                                -- mac algorithm to remove 
    (rec) [email protected]                -- mac algorithm to remove 
    (rec) -hmac-sha2-256                            -- mac algorithm to remove 
    (rec) -hmac-sha2-512                            -- mac algorithm to remove 
    (rec) [email protected]                     -- mac algorithm to remove 
    (rec) [email protected]                  -- mac algorithm to remove 
    (rec) [email protected]                      -- mac algorithm to remove 
    
    # additional info
    (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
    

    My ssh config contains some jumphost configurtations, and then on the bottom your suggested changes which I echoed into the file.

    # lots of hosts...
    
    Host xxx
        Hostname 192.168.1.220
        ProxyJump yyy
    
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
    MACs [email protected],[email protected],[email protected]
    HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-256,rsa-sha2-512,[email protected]
    
    

    I tried to google about client hardening, but almost all information out there is about server hardening.

    Any hint for me what to do?

    Thanks!

    opened by jugmac00 11
  • Add OpenSSH 8 recommendations

    Add OpenSSH 8 recommendations

    Hi Joe,

    The tool currently suggests recommended settings for OpenSSH 7.6 but I currently have OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019, so it would be great to have up-to-date kex/mac/etc recommendations what to enable, disable, and so on. There might be such in the official docs but the tool should make it easy to find them via its output.

    # algorithm recommendations (for OpenSSH 7.6)
    ...
    
    opened by immanuelfodor 11
  • Feature request: Consider host entries in .ssh/config

    Feature request: Consider host entries in .ssh/config

    It would be convenient if host entries in .ssh/config (hostname, port) could be recognised and automatically be used, so an entry like

    Host staging
    	PubkeyAuthentication yes
    	IdentitiesOnly yes
    	IdentityFile ~/.ssh/id_ed25519
    	Hostname mystagingserver.domain.com
    	User dummy
    	Port 54321
    

    would allow a simple

    ssh-audit.py staging

    instead of a

    ssh-audit.py -p 54321 mystagingserver.domain.com

    opened by shoopdawoop 10
  • Add an OPNsense SSH hardening guide

    Add an OPNsense SSH hardening guide

    Hi @jtesta,

    According to https://github.com/opnsense/core/issues/3975, there will be new SSH config options in OPNsense 20.7, so it'd be great to add these to the common OS list at https://www.ssh-audit.com/hardening_guides.html maybe below pfSense (as OPNsense is its fork).

    Until the new settings are released, users can enable them by running these commands on their OPNsense box/vm:

    opnsense-patch 5df590c
    opnsense-patch 1165119
    service configd restart
    

    As there are no ordering in the chosen algos (limitation of the UI), advanced users that mess with these settings should pick their choices to be the most hard that their SSH clients support. I'm happy that they added support to tweaking these at least.

    opened by immanuelfodor 10
  • v2.3.0 Milestones

    v2.3.0 Milestones

    @jtesta Hi Joe,

    At the end of July you mentioned that you were hoping to release v2.3.0.

    Are there some specific issues that you want to close before releasing v2.3.0? If so, perhaps they could be tagged as milestones.

    opened by thecliguy 9
  • SSH Connections - Additional Logging and Visibility of Errors

    SSH Connections - Additional Logging and Visibility of Errors

    ADDITIONAL LOGGING

    I'm planning on using ssh-audit in a production environment and would like to be able to demonstrate and record how aggressive a typical audit is.

    Currently verbose output only shows the initial SSH connection that's made to a target server:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/ssh_audit.py#L823

    However an audit actually makes multiple connections to a target server:

    1. The initial connection:
      ssh_audit.py: main --> audit --> err = s.connect()

    2. Obtaining host key(s):
      ssh_audit.py: main --> audit --> HostKeyTest.run(s, kex) hostkeytest.py: run --> perform_test --> err = s.connect() (err = s.connect() runs once per key type [rsa, ed25519, etc])

    3. Performing DH group exchange: ssh_audit.py: main --> audit --> GEXTest.run(s, kex) gextest.py: run --> GEXTest.reconnect --> err = s.connect() (GEXTest.reconnect runs once per group-exchange alg and once per modulus length for each group-exchange alg)

    @jtesta Would you be happy to entertain the idea of adding some additional logging so that each SSH connection is output? If that sounds OK, do you want this to be added to the existing verbose output or would it be more appropriate to add a new --debug parameter?

    VISIBILITY OF ERRORS

    When obtaining host key(s) and performing DH group exchange, if s.connect() or get_banner() produce an error then currently the error message is suppressed:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/hostkeytest.py#L109-L116

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/gextest.py#L45-L52

    Should we at least display a warning rather than hiding errors?

    opened by thecliguy 8
  • ssh-rsa Host Key Algorithm

    ssh-rsa Host Key Algorithm

    @jtesta Hi Joe

    The OpenSSH 8.3 release notes includes a future deprecation notice where it says: "...we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release".

    Is it worth updating ssh-rsa in ssh2_kexdb.py to mention something like "A future deprecation notice has been issued in OpenSSH 8.3, see https://www.openssh.com/txt/release-8.3." ?

    When I researched the deprecation of ssh-rsa, there seems to be a degree of confusion about the whole thing. So before you do anything, it's probably a good idea to check and make sure that you agree with my interpretation and that I'm not perpetuating incorrect information.

    opened by thecliguy 8
  • Batch scanning fail

    Batch scanning fail

    Hello,

    When i try to scan a batch of targets in a file if one of those get a [exception] cannot connect to 127.0.0.1 port 22 : timed out or connection refused the scan fails. i tried specifying the -b flag but that did not help much. The work around was to just cat the file and run it in parallel/xargs. But i still figured i should let you know.

    opened by gbiagomba 8
  • Dropbear ssh hardening guide addition

    Dropbear ssh hardening guide addition

    The current release of dropbear can be hardened by building it adding the following three lines to localoptions.h:

    #define DROPBEAR_RSA_SHA1 0
    #define DROPBEAR_DH_GROUP14_SHA1 0
    #define DROPBEAR_SHA1_HMAC 0
    

    Wondering if you would like to add this to your hardening guide.

    Reference: https://github.com/mkj/dropbear/issues/138

    opened by graysky2 0
  • Only SHA256 fingerprints are calculated - no MD5 and SHA512

    Only SHA256 fingerprints are calculated - no MD5 and SHA512

    When scanning a remote server, only the sha256 fingerprints are shown.

    It would make sense, to calculate the fingerprint with different hash algorithms, because not every client uses a sha256 hash for fingerprint calculation.

    Following hash algorithms should be used:

    • MD5 (deprecated but there are still clients which are using MD5)
    • SHA512 (rarely used but some clients exist which are using SHA512 fingerprints)

    I know those algorithms are not common, but as long as some clients are using those, ssh-audit should calculate the fingerprints.

    opened by hmaier1996 2
  • LookupError: unknown encoding: idna

    LookupError: unknown encoding: idna

    I get an exception when scanning some targets using targets file. When scanning these targets manually, it works fine.

    I'm using the ssh-audit.exe in Version 2.5 on a Windows 10 VM. For me it looks like to be an issue of missing import: import encodings.idna

    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    opened by kastahl 6
  • Python file

    Python file

    (output truncated)

    $ pip3 show -f ssh-audit
    Version: 2.5.0
    License: UNKNOWN
    Location: /usr/local/lib/python3.10/site-packages
    Requires: 
    Required-by: 
    Files:
      ../../../bin/ssh-audit
      ssh_audit-2.5.0.dist-info/LICENSE
    

    Hello. Be it unknown or not to Python, the license is dully mentioned here

    $ cat /usr/local/lib/python3.10/site-packages/ssh_audit-2.5.0.dist-info/LICENSE | awk 'NF'| head -2
    The MIT License (MIT)
    Copyright (C) 2017-2020 Joe Testa ([email protected])
    

    Whatever the side the issue has root, it is worth fixing. Copyright's end-year might require up-to-date number. Worth noting that an en-dash (–), is what the usage defines as applying to range of dates, not a hyphen (-), which is commonly misused by developers.

    opened by Ricky-Tigg 2
  • [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    Hi!

    I'm working on a product, that needs to implement ssh / scp themselves. I've read a dozens of rfc's myself already, but still would rather not implement everything myself. As such I've opted to use Apache Mina SSHD.

    Trying to disable the ecdsa-sha2-nistp521 Signature however seems to be problematic. I can see, that ssh-audit tries connecting with only that signature algorithm and then see that the server implementation concludes, that a session cannot be negotiated properly. As such it sends the Message SSH_MSG_DISCONNECT (1), while logging the error message: "SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - sendKexInit() no resolved signatures available".

    However ssh-audit then fails to execute with the following message: [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1). While reading the RFC 4253 i would say, that this is to be expected though, as on Page 18 it says:

      If no algorithm satisfying all these conditions can be found, the
      connection fails, and both sides MUST disconnect.
    

    My Test Code utilizes Containers (testContainers-java) and JUnit. For reference:

    import lombok.Cleanup;
    import lombok.extern.slf4j.Slf4j;
    import org.junit.jupiter.api.Test;
    import org.testcontainers.containers.GenericContainer;
    import org.testcontainers.containers.output.Slf4jLogConsumer;
    import org.testcontainers.containers.startupcheck.IndefiniteWaitOneShotStartupCheckStrategy;
    import org.testcontainers.junit.jupiter.Testcontainers;
    import org.testcontainers.utility.MountableFile;
    
    import java.io.IOException;
    
    import static org.testcontainers.Testcontainers.exposeHostPorts;
    
    @Slf4j
    @Testcontainers
    public final class SSHTest {
        private static final int SSH_PORT = 2222;
    
    
        @Test
        public void testAudit() throws Exception {
            @Cleanup final var launcher = createLauncher();
            launcher.start();
    
            exposeHostPorts(SSH_PORT);
    
            @Cleanup final var container = createContainerAudit();
            container.start();
        }
    
        private static GenericContainer<?> createContainerAudit() {
            return new SSHAudit(new SSHAudit.Config(SSH_URL, SSH_PORT))
                .withLogConsumer(new Slf4jLogConsumer(log))
                .withStartupCheckStrategy(new IndefiniteWaitOneShotStartupCheckStrategy());
        }
    }
    
    import org.testcontainers.containers.GenericContainer;
    import org.testcontainers.utility.DockerImageName;
    
    final class SSHAudit extends GenericContainer<SSHAudit> {
        public SSHAudit(final Config config) {
            super(DockerImageName.parse("positronsecurity/ssh-audit"));
            this.setCommand(
                "-b",
    //            "-l", "warn",
                config.url()
            );
        }
    
        public record Config(
            String host,
            int port
        ) {
            String url() {
                return this.host + ":" + this.port;
            }
        }
    }
    

    The cause of the error is linked here

    I'm unsure on how one would approach this though. As I have not yet understood the code base here. My suggestion would be to check if the server disconnected, but i can see. that the protocol definition currently has no such field.

    EDIT:

    Output of Help Menu running in Docker Container
    [main] INFO 🐳 [positronsecurity/ssh-audit:latest] - Container positronsecurity/ssh-audit:latest started in PT1.5658137S
    
    STDOUT # ssh-audit.py v2.5.0, https://github.com/jtesta/ssh-audit
    STDOUT 
    STDOUT usage: ssh-audit.py [options] <host>
    STDOUT 
    STDOUT    -h,  --help             print this help
    STDOUT    -1,  --ssh1             force ssh version 1 only
    STDOUT    -2,  --ssh2             force ssh version 2 only
    STDOUT    -4,  --ipv4             enable IPv4 (order of precedence)
    STDOUT    -6,  --ipv6             enable IPv6 (order of precedence)
    STDOUT    -b,  --batch            batch output
    STDOUT    -c,  --client-audit     starts a server on port 2222 to audit client
    STDOUT                                software config (use -p to change port;
    STDOUT                                use -t to change timeout)
    STDOUT    -d,  --debug            debug output
    STDOUT    -j,  --json             JSON output (use -jj to enable indents)
    STDOUT    -l,  --level=<level>    minimum output level (info|warn|fail)
    STDOUT    -L,  --list-policies    list all the official, built-in policies
    STDOUT         --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
    STDOUT                                     connecting to a server
    STDOUT    -M,  --make-policy=<policy.txt>  creates a policy based on the target server
    STDOUT                                     (i.e.: the target server has the ideal
    STDOUT                                     configuration that other servers should
    STDOUT                                     adhere to)
    STDOUT    -m,  --manual           print the man page (Windows only)
    STDOUT    -n,  --no-colors        disable colors
    STDOUT    -p,  --port=<port>      port to connect
    STDOUT    -P,  --policy=<policy.txt>  run a policy test using the specified policy
    STDOUT    -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
    STDOUT                                (default: 5)
    STDOUT    -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
    STDOUT                                    per line, format HOST[:PORT]).  Use --threads
    STDOUT                                    to control concurrent scans.
    STDOUT         --threads=<threads>    number of threads to use when scanning multiple
    STDOUT                                    targets (-T/--targets) (default: 32)
    STDOUT    -v,  --verbose          verbose output
    STDOUT 
    END 
    
    Output of --debug running in Docker Container (Error).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    STDOUT Starting audit of host.testcontainers.internal:2222...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
    STDOUT [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)
    END 
    ...
    
    Output of --debug running in Docker Container (Successful, but audit fails).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] ecdsa-sha2-nistp521 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    
    STDOUT Starting audit of host.testcontainers.internal:2222...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 512...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 768...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1024...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1536...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 2048...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
    STDOUT (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
    STDOUT (gen) compression: enabled (zlib, [email protected])
    STDOUT (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
    STDOUT (kex) [email protected] -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
    STDOUT (kex) curve448-sha512
    STDOUT (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
    STDOUT (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
    STDOUT (kex) diffie-hellman-group17-sha512
    STDOUT (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    STDOUT (kex) diffie-hellman-group15-sha512
    STDOUT (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    STDOUT (kex) ext-info-s
    STDOUT (key) ecdsa-sha2-nistp521 -- [fail] using weak elliptic curves
    STDOUT (key) ecdsa-sha2-nistp521 -- [warn] using weak random number generator could reveal the key
    STDOUT (key) ecdsa-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.5
    STDOUT (enc) [email protected] -- [info] default cipher since OpenSSH 6.9.
    STDOUT (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    STDOUT (enc) aes192-ctr -- [info] available since OpenSSH 3.7
    STDOUT (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (rec) -ecdsa-sha2-nistp521-- key algorithm to remove 
    STDOUT (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
    END 
    
    
    opened by BjoernAkAManf 3
Releases(v2.5.0)
Owner
Joe Testa
Principal penetration tester and founder of Positron Security. @therealjoetesta
Joe Testa
A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

master_librarian A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities. To install requirements: $ sudo pyth

CoolerVoid 167 Dec 19, 2022
Security audit Python project dependencies against security advisory databases.

Security audit Python project dependencies against security advisory databases.

null 52 Dec 17, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

null 9.4k Jan 4, 2023
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 408 Jan 3, 2023
SSH Tool For OSINT and then Cracking.

sshmap SSH Tool For OSINT and then Cracking. Linux Systems Only Usage: Scanner Syntax: scanner start/stop/status - Sarts/stops/sho

Miss Bliss 5 Apr 4, 2022
🍯 16 honeypots in a single pypi package (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres & MySQL)

Easy to setup customizable honeypots for monitoring network traffic, bots activities and username\password credentials. The current available honeypot

QeeqBox 259 Dec 31, 2022
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Cowrie Welcome to the Cowrie GitHub repository This is the official repository for the Cowrie SSH and Telnet Honeypot effort. What is Cowrie Cowrie is

Cowrie 4.1k Jan 9, 2023
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

Finn Lancaster 3 Oct 5, 2022
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

null 6 May 17, 2022
Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures

Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.

Stamus Networks 39 Nov 28, 2022
Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Context Information Security 701 Dec 27, 2022
Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

Kevin O'Reilly 1k Dec 30, 2022
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE ?? , use it commercial

c3rb3ru5 103 Dec 18, 2022
Cobalt Strike Beacon configuration extractor and parser.

Cobalt Strike Configuration Extractor and Parser Overview Pure Python library and set of scripts to extract and parse configurations (configs) from Co

Stroz Friedberg 102 Dec 18, 2022
An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.

TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several

null 40 Dec 29, 2022
Client script for the fisherman phishing tool

Client script for the fisherman phishing tool

Pushkar Raj 1 Feb 23, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

null 22 Nov 9, 2022
An advanced multi-threaded, multi-client python reverse shell for hacking linux systems

PwnLnX An advanced multi-threaded, multi-client python reverse shell for hacking linux systems. There's still more work to do so feel free to help out

0xTRAW 212 Dec 24, 2022
Python HDFS client

Python HDFS client Because the world needs yet another way to talk to HDFS from Python. Usage This library provides a Python client for WebHDFS. NameN

Jing Wang 82 Dec 28, 2022