mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 17:15:09 +01:00
416 lines
12 KiB
JSON
416 lines
12 KiB
JSON
{
|
|
"additional_notes": [],
|
|
"banner": {
|
|
"comments": null,
|
|
"protocol": "2.0",
|
|
"raw": "SSH-2.0-dropbear_2019.78",
|
|
"software": "dropbear_2019.78"
|
|
},
|
|
"compression": [
|
|
"zlib@openssh.com",
|
|
"none"
|
|
],
|
|
"cves": [],
|
|
"enc": [
|
|
{
|
|
"algorithm": "aes128-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7, Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes256-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7, Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes128-cbc",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes256-cbc",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "3des-ctr",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken & deprecated 3DES cipher"
|
|
],
|
|
"info": [
|
|
"available since Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "3des-cbc",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken & deprecated 3DES cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode",
|
|
"using small 64-bit block size"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"fingerprints": [
|
|
{
|
|
"hash": "jdUfqoGCDOY1drQcoqIJm/pEix2r09hqwOs9E9GimZQ",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ecdsa-sha2-nistp256"
|
|
},
|
|
{
|
|
"hash": "98:27:f3:12:20:f6:23:6d:1a:00:2a:6c:71:7c:1e:6b",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ecdsa-sha2-nistp256"
|
|
},
|
|
{
|
|
"hash": "NBzry0uMAX8BRsn4mv9CHpeivMOdwzGFEKrf6Hg7tIQ",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ssh-dss"
|
|
},
|
|
{
|
|
"hash": "16:60:9e:54:d7:1e:b3:0d:97:60:12:ad:fe:83:a2:40",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ssh-dss"
|
|
},
|
|
{
|
|
"hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ssh-rsa"
|
|
},
|
|
{
|
|
"hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ssh-rsa"
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"algorithm": "curve25519-sha256",
|
|
"notes": {
|
|
"info": [
|
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "curve25519-sha256@libssh.org",
|
|
"notes": {
|
|
"info": [
|
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdh-sha2-nistp521",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdh-sha2-nistp384",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdh-sha2-nistp256",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group14-sha256",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
|
],
|
|
"warn": [
|
|
"2048-bit modulus only provides 112-bits of symmetric strength",
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group14-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
|
],
|
|
"warn": [
|
|
"2048-bit modulus only provides 112-bits of symmetric strength",
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "kexguess2@matt.ucc.asn.au",
|
|
"notes": {
|
|
"info": [
|
|
"available since Dropbear SSH 2013.57"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"key": [
|
|
{
|
|
"algorithm": "ecdsa-sha2-nistp256",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"using weak random number generator could reveal the key"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ssh-rsa",
|
|
"keysize": 1024,
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm",
|
|
"using small 1024-bit modulus"
|
|
],
|
|
"info": [
|
|
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
|
|
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ssh-dss",
|
|
"notes": {
|
|
"fail": [
|
|
"using small 1024-bit modulus"
|
|
],
|
|
"info": [
|
|
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
|
|
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using weak random number generator could reveal the key"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"algorithm": "hmac-sha1-96",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha2-256",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"recommendations": {
|
|
"critical": {
|
|
"del": {
|
|
"enc": [
|
|
{
|
|
"name": "3des-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "3des-ctr",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"name": "diffie-hellman-group14-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ecdh-sha2-nistp256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ecdh-sha2-nistp384",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ecdh-sha2-nistp521",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"key": [
|
|
{
|
|
"name": "ecdsa-sha2-nistp256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ssh-dss",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ssh-rsa",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"name": "hmac-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-sha1-96",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"informational": {
|
|
"add": {
|
|
"enc": [
|
|
{
|
|
"name": "twofish128-ctr",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "twofish256-ctr",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"warning": {
|
|
"del": {
|
|
"enc": [
|
|
{
|
|
"name": "aes128-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "aes256-cbc",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"name": "curve25519-sha256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "curve25519-sha256@libssh.org",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "diffie-hellman-group14-sha256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "kexguess2@matt.ucc.asn.au",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"name": "hmac-sha2-256",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"target": "localhost:2222"
|
|
}
|