Commit Graph

160 Commits

Author SHA1 Message Date
Joe Testa
c259a83782 Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. 2023-12-19 14:03:28 -05:00
Joe Testa
8e972c5e94 Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). 2023-12-18 18:24:49 -05:00
Joe Testa
ba8e8a7e68 Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide. 2023-11-27 21:33:13 -05:00
Joe Testa
bad2c9cd8e In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types. 2023-11-27 20:07:36 -05:00
Joe Testa
69e1e121fd In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides. 2023-11-27 19:15:18 -05:00
Joe Testa
02ab487232 Bumped version to v3.1.0-dev. 2023-09-07 08:57:59 -04:00
Joe Testa
f517e03d9f Bumped version to v3.0.0. 2023-09-07 07:45:07 -04:00
Joe Testa
e26597a7aa Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'. 2023-09-05 20:10:37 -04:00
Joe Testa
f8e29674a3 Refined JSON notes output. Fixed Docker & Tox tests. 2023-09-05 16:36:54 -04:00
Bareq
d3dd5a9cac
Improved JSON output (#185) 2023-09-05 16:16:23 -04:00
Joe Testa
884ef645f8 Prioritized certificate host key types for Ubuntu 22.04 client policy. (#193) 2023-09-05 14:01:51 -04:00
Joe Testa
38f9c21760 The color of all notes will be printed in green when the related algorithm is rated good. 2023-09-03 19:14:25 -04:00
Joe Testa
4e6169d0cb Added built-in policy for OpenSSH 9.4. 2023-09-03 18:12:16 -04:00
Joe Testa
199e75f6cd Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. 2023-09-03 16:13:00 -04:00
Joe Testa
3f2fdbaa3d Fixed crash during GEX tests. 2023-07-11 11:08:42 -04:00
thecliguy
83f9e48271
Recommendation output now respects level (#196) 2023-06-20 16:09:37 -04:00
Dani Cuesta
a74c3abdde
Removed sys.exit from _resolve in ssh_socket.py (#187)
Changed (and documented) _resolve so the application does not quit when a hostname cannot be resolved.

Adapted connect function to expect incoming exceptions from _resolve

This fixes issue #186
2023-06-20 09:21:06 -04:00
Joe Testa
e99cb0b579 Now prints the reason why socket listening operations fail. 2023-06-20 08:43:11 -04:00
Joe Testa
639f11a5e5 Results from concurrent scans against multiple hosts are no longer improperly combined (#190). 2023-06-19 14:13:32 -04:00
Joe Testa
521a50a796 Added 'curve448-sha512@libssh.org' kex. (#195) 2023-06-19 10:35:13 -04:00
Joe Testa
2d5a97841f Bumped version to 3.0.0-dev. 2023-04-29 14:46:07 -04:00
Joe Testa
3c1451cfdc Bumped version to v2.9.0. 2023-04-29 12:33:26 -04:00
Joe Testa
929652c9b7 Simplified host key test logic. 2023-04-29 11:59:50 -04:00
thecliguy
e172932977
RSA key size comments duplicated for all RSA sig algs (#182)
* RSA key size comments duplicated for all RSA sig algs

* Save results on completion of testing a hostkey

* Revised list names because they operates against all keys now not just rsa.

* ensure all required fields added for non-rsa keys

* Correction to the saving of comments against non-rsa keys
2023-04-29 11:39:29 -04:00
Joe Testa
c33e7d9b72 Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3. 2023-04-27 21:40:47 -04:00
Joe Testa
0074fcc1af Rolled back Windows multithreading crash fix, as upgrading from Python v3.9 to v3.11 may have fixed the root cause. (#152) 2023-04-26 21:55:40 -04:00
Joe Testa
7f8d6b4d5b Fixed built-in policy formatting and filled in missing host key size information. 2023-04-26 15:47:58 -04:00
Joe Testa
05f159a152 Fixed Windows-specific crash when multiple threads are used (#152). 2023-04-25 10:18:45 -04:00
Joe Testa
263267c5ad Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120). 2023-04-25 09:17:32 -04:00
Joe Testa
4f31304b66 Alphabetized algorithm database. 2023-03-28 12:09:25 -04:00
Joe Testa
dc083de87e Added recommendations and CVE information to JSON output (#122). 2023-03-24 18:48:36 -04:00
Joe Testa
7d5eb37a0f Updated colorama initialization. 2023-03-24 16:43:38 -04:00
Joe Testa
cc9e4fbc4a Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures. 2023-03-23 21:36:02 -04:00
Joe Testa
992aa1b961 Added support for kex GSS wildcards (#143). 2023-03-21 22:17:23 -04:00
thecliguy
e2a9896397
Deprecation of ssh-rsa signature algorithm in OpenSSH 8.8 (#171) 2023-03-21 14:52:23 -04:00
Joe Testa
71feaa191e Add note regarding OpenSSH's 2048-bit GEX fallback, and suppress the related recommendation since the user cannot control it (partly related to #168). 2023-03-21 11:44:45 -04:00
thecliguy
e4d864c6c1
usage now respects no color (#162)
* usage now respects no color

* Removed superfluous parens after 'not'
2023-02-06 18:20:34 -05:00
Joe Testa
c9dc9a9c10 Now issues a warning when 2048-bit moduli are encountered. 2023-02-06 16:27:30 -05:00
Joe Testa
f9e00b6f2d Renamed WARN_CURVES_WEAK to FAIL_CURVES_WEAK. 2023-02-03 17:22:10 -05:00
Joe Testa
433c7e779d Added 2 new ciphers: 'rijndael-cbc@ssh.com', 'cast128-12-cbc@ssh.com'. Added 21 new host key types: . 2023-02-02 18:57:53 -05:00
Joe Testa
984ea1eee3 Added the following 9 new host key types: 'dsa2048-sha224@libassh.org', 'dsa2048-sha256@libassh.org', 'dsa3072-sha256@libassh.org', 'ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com', 'eddsa-e382-shake256@libassh.org', 'eddsa-e521-shake256@libassh.org', 'null', 'pgp-sign-dss', 'pgp-sign-rsa'. Added the following 22 new key exchange algorithms: 'diffie-hellman-group-exchange-sha224@ssh.com', 'diffie-hellman-group-exchange-sha384@ssh.com', 'diffie-hellman-group14-sha224@ssh.com', 'diffie-hellman_group17-sha512', 'ecmqv-sha2', 'gss-13.3.132.0.10-sha256-*', 'gss-curve25519-sha256-*', 'gss-curve448-sha512-*', 'gss-gex-sha1-*', 'gss-gex-sha256-*', 'gss-group1-sha1-*', 'gss-group14-sha1-*', 'gss-group14-sha256-*', 'gss-group15-sha512-*', 'gss-group16-sha512-*', 'gss-group17-sha512-*', 'gss-group18-sha512-*', 'gss-nistp256-sha256-*', 'gss-nistp384-sha256-*', 'gss-nistp521-sha512-*', 'm383-sha384@libassh.org', 'm511-sha512@libassh.org'. Added the following 26 new ciphers: '3des-cfb', '3des-ecb', '3des-ofb', 'blowfish-cfb', 'blowfish-ecb', 'blowfish-ofb', 'camellia128-cbc@openssh.org', 'camellia128-ctr@openssh.org', 'camellia192-cbc@openssh.org', 'camellia192-ctr@openssh.org', 'camellia256-cbc@openssh.org', 'camellia256-ctr@openssh.org', 'cast128-cfb', 'cast128-ecb', 'cast128-ofb', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'seed-ctr@ssh.com', 'serpent128-gcm@libassh.org', 'serpent256-gcm@libassh.org', 'twofish-cfb', 'twofish-ecb', 'twofish-ofb', 'twofish128-gcm@libassh.org', 'twofish256-gcm@libassh.org'. Added the following 4 new HMAC algorithms: 'hmac-sha224@ssh.com', 'hmac-sha256-2@ssh.com', 'hmac-sha384@ssh.com', 'hmac-whirlpool'. 2023-02-02 18:30:40 -05:00
Joe Testa
0b905a7fdd Added Ubuntu Client 22.04 hardening policy. 2023-02-01 19:29:54 -05:00
Joe Testa
32ff04c2cc Added Tox testing for Python 3.11. Fixed flake8 & pylint errors. 2023-02-01 17:56:54 -05:00
thecliguy
e50ac5c84d
Gex test usage text (#158)
* Reformatted Usage Text for --gex-test in README.md

* Reformatted Usage Text for --gex-test in ssh_audit.py

Reformatted to adhere to a max line length of 80 characters.
2022-10-27 10:11:05 -04:00
Manfred Kaiser
29496b43d5
updated vulnerability database (#157)
* updated vulnerability database

* added info for CVE-2021-36367
2022-10-27 10:10:17 -04:00
Joe Testa
3300c60aaa Added 'ssh-xmss@openssh.com' and 'ssh-xmss-cert-v01@openssh.com' experimental host keys (#146). 2022-10-14 23:21:09 -04:00
Joe Testa
78a9475a32 Added hmac-sha1-96@openssh.com MAC. (#148) 2022-10-14 22:56:02 -04:00
Joe Testa
d429b543d0 Added support for host key 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com' (#149). 2022-10-10 20:51:37 -04:00
Joe Testa
b9520cbc25 Fixed pylint & flake8 warnings and errors. 2022-10-10 20:40:29 -04:00
Joe Testa
0b8ecf2fb5 Added Ubuntu Server 22.04 LTS hardening policy. 2022-10-10 20:34:28 -04:00
Joe Testa
113d1de443 Removed experimental warning tag from sntrup761x25519-sha512@openssh.com. 2022-04-10 12:16:25 -04:00
Joe Testa
11905ed44a Fixed pylint errors, consolidated error checking for granular GEX tests, renamed functions for better readability. 2022-03-24 10:53:47 -04:00
Adam Russell
19f192d21f Corrected accidental text update and a minor typo. 2022-03-24 10:53:47 -04:00
Adam Russell
5ac0ffa8f1 DH GEX Modulus Size Testing 2022-03-24 10:53:47 -04:00
Joe Testa
0a6ac5de54 Updated CVE vulnerability flag. 2022-02-21 21:51:35 -05:00
Alexandre ZANNI
1bdf7029b4
add a bunch of openssh CVEs (#126) 2022-02-21 21:41:44 -05:00
Joe Testa
5fbcb1b90f Added 24 new key exchanges: 'ecdh-sha2-1.3.132.0.1', 'ecdh-sha2-1.2.840.10045.3.1.1', 'ecdh-sha2-1.3.132.0.33', 'ecdh-sha2-1.3.132.0.26', 'ecdh-sha2-1.3.132.0.27', 'ecdh-sha2-1.2.840.10045.3.1.7', 'ecdh-sha2-1.3.132.0.16', 'ecdh-sha2-1.3.132.0.34', 'ecdh-sha2-1.3.132.0.36', 'ecdh-sha2-1.3.132.0.37', 'ecdh-sha2-1.3.132.0.35', 'ecdh-sha2-1.3.132.0.38', 'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==', 'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==', 'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==', 'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==', 'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==', 'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==', 'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==', 'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==', 'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==', 'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==', 'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==', 'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w=='. 2021-10-20 22:25:20 -04:00
Joe Testa
4ace52a190 Now prints a more user-friendly error message when installed as a Snap package and permission errors are encountered. Updated the Snap build process as well. 2021-10-14 23:56:03 -04:00
tomatohater1337
1f0b3acff2
Complete "target" in the JSON output with the port (#123)
* Complete "target" in JSON output with the port

The JSON output was not showing the port of the target which was scanned. This could be problematic when scanning a host with more than one ssh service running.

* Docker tests completet with the port of the scan target in the JSON output
2021-10-13 23:44:55 -04:00
Joe Testa
9f87acfc74 Bumped version to v2.6.0-dev. 2021-08-27 11:25:27 -04:00
a1346054
597b500eba
Minor cleanups (#116)
* docker_test.sh: fix shellcheck warnings

* docker_test.sh: unify style

No changes in functionality.

* docker_test.sh: whitespace fixes

* stop mixing tabs and spaces
* remove trailing whitespace

* invoke bash using /usr/bin/env

* build_windows_executable.sh: fix variable assignment

* update_windows_man_page.sh: unify style

No changes in functionality.

* whitespace fixes

* stop mixing tabs and spaces
* remove trailing whitespace

* fix spelling

* remove trailing whitespace
2021-08-27 11:19:18 -04:00
Joe Testa
4f2f995b62 Bumped version to v2.5.0. 2021-08-26 15:24:34 -04:00
Joe Testa
e7d320f602 Fixed new pylint warnings. 2021-08-25 13:28:30 -04:00
Joe Testa
682cb66f85 Added OpenSSH v8.6 & v8.7 policies. 2021-08-25 12:30:38 -04:00
Joe Testa
076681a671 Added 3 new key exchanges: gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== 2021-07-08 10:18:25 -04:00
Joe Testa
98a1fb0315 Added two new MACs: 'AEAD_AES_128_GCM', and 'AEAD_AES_256_GCM'. 2021-06-28 21:59:41 -04:00
Joe Testa
45da9f20ae Added 'rsa-sha2-512' and 'rsa-sha2-256' to OpenSSH 8.1 (and earlier) policies. 2021-05-31 15:49:56 -04:00
Joe Testa
aa21df29e7 Now handles exceptions during server KEX parsing more gracefully. 2021-05-24 19:50:25 -04:00
Joe Testa
32ed9242af Now prints JSON with indents when is used (useful for debugging). 2021-05-20 19:04:35 -04:00
Joe Testa
07862489c4 Added MD5 fingerprint hashes to verbose output. 2021-05-20 18:03:24 -04:00
Joe Testa
e508a963e7 Added 1 new MAC: hmac-ripemd160-96. 2021-05-20 14:17:37 -04:00
Joe Testa
8e9fe20fac SSH_Socket's constructor now takes an OutputBuffer for verbose & debugging output. 2021-03-02 11:25:37 -05:00
thecliguy
83bd049486
Debug Logging and visibility of SSH Connection errors (#99)
* Debug Logging and visibility of SSH Connection errors

* Updated date in man page
2021-03-02 11:06:40 -05:00
Joe Testa
c483fe1861 Fixed a crash while doing host key tests. 2021-02-26 16:01:30 -05:00
Joe Testa
f96c0501e9 Bumped version number. 2021-02-23 20:39:18 -05:00
Joe Testa
b300ad1252 Refactored IPv4/6 preference logic to fix pylint warnings. 2021-02-23 16:05:01 -05:00
Joe Testa
1bbc3feb57 Added OpenSSH 8.5 built-in policy. Added sntrup761x25519-sha512@openssh.com kex. 2021-02-23 16:02:20 -05:00
thecliguy
8a8c284d9a
Colour no longer disabled on older vers of Windows. If ssh-audit invoked with a manual parameter and the colorama library was not imported then colour output is disabled. (#95) 2021-02-18 14:52:08 -05:00
Joe Testa
1b7cfbec71 Disable color output on Windows 8 and Windows Server 2012. 2021-02-06 11:03:39 -05:00
Joe Testa
ef831d17e0 When -n/--no-colors is used, strip out color from Windows man page. 2021-02-05 21:45:56 -05:00
Joe Testa
36094611ce Fixed unicode errors when printing the man page on Windows. 2021-02-05 20:39:12 -05:00
Joe Testa
11e2e77585 Simplified Windows man page processing. Added Cygwin support to update_windows_man_page.sh. 2021-02-05 16:25:04 -05:00
thecliguy
090b5d760b
Man Page on Windows (#93)
* Man Page on Windows

* Corrected typo in update_windows_man_page.sh

* Check that the 'sed' (stream editor) binary exists
2021-02-05 15:43:50 -05:00
Joe Testa
e0f0956edc Added extra warnings for SSHv1. (#6) 2021-02-02 12:20:37 -05:00
Joe Testa
c49a0fb22f Upgraded SHA-1 key signatures from warnings to failures. Added deprecation warning to ssh-rsa-cert-v00@openssh.com, ssh-rsa-cert-v01@openssh.com, x509v3-sign-rsa, and x509v3-ssh-rsa host key types. 2021-02-01 19:19:46 -05:00
thecliguy
dbe14a075e
Added future deprecation notice of ssh-rsa (#92) 2021-02-01 13:17:46 -05:00
Joe Testa
13d15baa2a Added multi-threaded scanning support. 2021-02-01 13:10:06 -05:00
Joe Testa
bbb81e24ab Streamlined sending of KEXINIT messages. 2021-01-21 11:23:40 -05:00
Joe Testa
60de5e55cb Transformed comment type annotations to variable declaration annotations. 2021-01-21 10:20:48 -05:00
Joe Testa
1ba4c7c7ca Send KEX before reading server's KEX during host key and GEX tests; this prevents deadlock against certain server implementations. 2021-01-20 15:27:38 -05:00
Joe Testa
338ffc5adb Fixed crash when receiving unexpected response during host key test. 2020-11-05 20:29:39 -05:00
Joe Testa
52d1e8f27b Fixed pylint warning. 2020-11-05 20:28:14 -05:00
Joe Testa
0d9881966c Added version check for OpenSSH user enumeration (CVE-2018-15473). (#83) 2020-11-05 20:24:09 -05:00
Joe Testa
5c8dc5105b Bumped version number. 2020-11-05 20:16:35 -05:00
Joe Testa
81ae0eb8f7 Bumped version. 2020-10-28 19:25:11 -04:00
thecliguy
a3e4f9dbaa
Added similar algorithm suggestions to --lookup (#80) 2020-10-28 11:56:12 -04:00
Joe Testa
0cb3127482 Fixed pylint warnings. 2020-10-21 19:36:43 -04:00
Joe Testa
f0db035044 Now prints a graceful error message when policy file is not found. 2020-10-20 23:26:21 -04:00
Joe Testa
1730126af8 Removed 'ssh-rsa-cert-v01@openssh.com' from built-in policies. 2020-10-20 23:19:56 -04:00
Joe Testa
175bd2cf66 Fixed recommendation output function from suppressing some algorithms inappropriately. 2020-10-20 21:34:34 -04:00