pax_global_header00006660000000000000000000000064130041516050014505gustar00rootroot0000000000000052 comment=e42064b9b9c5e630574d306c1f349a1ff0bc1d6a ssh-audit-1.7.0/000077500000000000000000000000001300415160500134135ustar00rootroot00000000000000ssh-audit-1.7.0/.gitignore000066400000000000000000000000341300415160500154000ustar00rootroot00000000000000*~ *.pyc html/ venv/ .cache/ssh-audit-1.7.0/.travis.yml000066400000000000000000000004371300415160500155300ustar00rootroot00000000000000language: python python: - 2.6 - 2.7 - 3.3 - 3.4 - 3.5 - pypy - pypy3 install: - pip install --upgrade pytest - pip install --upgrade pytest-cov - pip install --upgrade coveralls script: - py.test --cov-report= --cov=ssh-audit -v test after_success: - coveralls ssh-audit-1.7.0/README.md000066400000000000000000000101641300415160500146740ustar00rootroot00000000000000# ssh-audit [![build status](https://api.travis-ci.org/arthepsy/ssh-audit.svg)](https://travis-ci.org/arthepsy/ssh-audit) [![coverage status](https://coveralls.io/repos/github/arthepsy/ssh-audit/badge.svg)](https://coveralls.io/github/arthepsy/ssh-audit) **ssh-audit** is a tool for ssh server auditing. ## Features - SSH1 and SSH2 protocol server support; - grab banner, recognize device or software and operating system, detect compression; - gather key-exchange, host-key, encryption and message authentication code algorithms; - output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc); - output algorithm recommendations (append or remove based on recognized software version); - output security information (related issues, assigned CVE list, etc); - analyze SSH version compatibility based on algorithm information; - historical information from OpenSSH, Dropbear SSH and libssh; - no dependencies, compatible with Python 2.6+, Python 3.x and PyPy; ## Usage ``` usage: ssh-audit.py [-1246pbnvl] -1, --ssh1 force ssh version 1 only -2, --ssh2 force ssh version 2 only -4, --ipv4 enable IPv4 (order of precedence) -6, --ipv6 enable IPv6 (order of precedence) -p, --port= port to connect -b, --batch batch output -n, --no-colors disable colors -v, --verbose verbose output -l, --level= minimum output level (info|warn|fail) ``` * if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`. * batch flag `-b` will output sections without header and without empty lines (implies verbose flag). * verbose flag `-v` will prefix each line with section type and algorithm name. ### example ![screenshot](https://cloud.githubusercontent.com/assets/7356025/19233757/3e09b168-8ef0-11e6-91b4-e880bacd0b8a.png) ## ChangeLog ### v1.7.0 (2016-10-26) - implement options to allow specify IPv4/IPv6 usage and order of precedence - implement option to specify remote port (old behavior kept for compatibility) - add colors support for Microsoft Windows via optional colorama dependency - fix encoding and decoding issues, add tests, do not crash on encoding errors - use mypy-lang for static type checking and verify all code ### v1.6.0 (2016-10-14) - implement algorithm recommendations section (based on recognized software) - implement full libssh support (version history, algorithms, security, etc) - fix SSH-1.99 banner recognition and version comparison functionality - do not output empty algorithms (happens for misconfigured servers) - make consistent output for Python 3.x versions - add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc) - use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3) ### v1.5.0 (2016-09-20) - create security section for related security information - match and output assigned CVE list and security issues for Dropbear SSH - implement full SSH1 support with fingerprint information - automatically fallback to SSH1 on protocol mismatch - add new options to force SSH1 or SSH2 (both allowed by default) - parse banner information and convert it to specific software and OS version - do not use padding in batch mode - several fixes (Cisco sshd, rare hangs, error handling, etc) ### v1.0.20160902 - implement batch output option - implement minimum output level option - fix compatibility with Python 2.6 ### v1.0.20160812 - implement SSH version compatibility feature - fix wrong mac algorithm warning - fix Dropbear SSH version typo - parse pre-banner header - better errors handling ### v1.0.20160803 - use OpenSSH 7.3 banner - add new key-exchange algorithms ### v1.0.20160207 - use OpenSSH 7.2 banner - additional warnings for OpenSSH 7.2 - fix OpenSSH 7.0 failure messages - add rijndael-cbc failure message from OpenSSH 6.7 ### v1.0.20160105 - multiple additional warnings - support for none algorithm - better compression handling - ensure reading enough data (fixes few Linux SSH) ### v1.0.20151230 - Dropbear SSH support ### v1.0.20151223 - initial version ssh-audit-1.7.0/ssh-audit.py000077500000000000000000002020101300415160500156640ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """ The MIT License (MIT) Copyright (C) 2016 Andris Raugulis (moo@arthepsy.eu) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. """ from __future__ import print_function import os, io, sys, socket, struct, random, errno, getopt, re, hashlib, base64 VERSION = 'v1.7.0' if sys.version_info >= (3,): # pragma: nocover StringIO, BytesIO = io.StringIO, io.BytesIO text_type = str binary_type = bytes else: # pragma: nocover import StringIO as _StringIO # pylint: disable=import-error StringIO = BytesIO = _StringIO.StringIO text_type = unicode # pylint: disable=undefined-variable binary_type = str try: # pragma: nocover # pylint: disable=unused-import from typing import List, Set, Sequence, Tuple, Iterable from typing import Callable, Optional, Union, Any except ImportError: # pragma: nocover pass try: # pragma: nocover from colorama import init as colorama_init colorama_init() # pragma: nocover except ImportError: # pragma: nocover pass def usage(err=None): # type: (Optional[str]) -> None uout = Output() p = os.path.basename(sys.argv[0]) uout.head('# {0} {1}, moo@arthepsy.eu\n'.format(p, VERSION)) if err is not None: uout.fail('\n' + err) uout.info('usage: {0} [-1246pbnvl] \n'.format(p)) uout.info(' -h, --help print this help') uout.info(' -1, --ssh1 force ssh version 1 only') uout.info(' -2, --ssh2 force ssh version 2 only') uout.info(' -4, --ipv4 enable IPv4 (order of precedence)') uout.info(' -6, --ipv6 enable IPv6 (order of precedence)') uout.info(' -p, --port= port to connect') uout.info(' -b, --batch batch output') uout.info(' -n, --no-colors disable colors') uout.info(' -v, --verbose verbose output') uout.info(' -l, --level= minimum output level (info|warn|fail)') uout.sep() sys.exit(1) class AuditConf(object): # pylint: disable=too-many-instance-attributes def __init__(self, host=None, port=22): # type: (Optional[str], int) -> None self.host = host self.port = port self.ssh1 = True self.ssh2 = True self.batch = False self.colors = True self.verbose = False self.minlevel = 'info' self.ipvo = () # type: Sequence[int] self.ipv4 = False self.ipv6 = False def __setattr__(self, name, value): # type: (str, Union[str, int, bool, Sequence[int]]) -> None valid = False if name in ['ssh1', 'ssh2', 'batch', 'colors', 'verbose']: valid, value = True, True if value else False elif name in ['ipv4', 'ipv6']: valid = False value = True if value else False ipv = 4 if name == 'ipv4' else 6 if value: value = tuple(list(self.ipvo) + [ipv]) else: if len(self.ipvo) == 0: value = (6,) if ipv == 4 else (4,) else: value = tuple(filter(lambda x: x != ipv, self.ipvo)) self.__setattr__('ipvo', value) elif name == 'ipvo': if isinstance(value, (tuple, list)): uniq_value = utils.unique_seq(value) value = tuple(filter(lambda x: x in (4, 6), uniq_value)) valid = True ipv_both = len(value) == 0 object.__setattr__(self, 'ipv4', ipv_both or 4 in value) object.__setattr__(self, 'ipv6', ipv_both or 6 in value) elif name == 'port': valid, port = True, utils.parse_int(value) if port < 1 or port > 65535: raise ValueError('invalid port: {0}'.format(value)) value = port elif name in ['minlevel']: if value not in ('info', 'warn', 'fail'): raise ValueError('invalid level: {0}'.format(value)) valid = True elif name == 'host': valid = True if valid: object.__setattr__(self, name, value) @classmethod def from_cmdline(cls, args, usage_cb): # type: (List[str], Callable[..., None]) -> AuditConf # pylint: disable=too-many-branches aconf = cls() try: sopts = 'h1246p:bnvl:' lopts = ['help', 'ssh1', 'ssh2', 'ipv4', 'ipv6', 'port', 'batch', 'no-colors', 'verbose', 'level='] opts, args = getopt.getopt(args, sopts, lopts) except getopt.GetoptError as err: usage_cb(str(err)) aconf.ssh1, aconf.ssh2 = False, False oport = None for o, a in opts: if o in ('-h', '--help'): usage_cb() elif o in ('-1', '--ssh1'): aconf.ssh1 = True elif o in ('-2', '--ssh2'): aconf.ssh2 = True elif o in ('-4', '--ipv4'): aconf.ipv4 = True elif o in ('-6', '--ipv6'): aconf.ipv6 = True elif o in ('-p', '--port'): oport = a elif o in ('-b', '--batch'): aconf.batch = True aconf.verbose = True elif o in ('-n', '--no-colors'): aconf.colors = False elif o in ('-v', '--verbose'): aconf.verbose = True elif o in ('-l', '--level'): if a not in ('info', 'warn', 'fail'): usage_cb('level {0} is not valid'.format(a)) aconf.minlevel = a if len(args) == 0: usage_cb() if oport is not None: host = args[0] port = utils.parse_int(oport) else: s = args[0].split(':') host = s[0].strip() if len(s) == 2: oport, port = s[1], utils.parse_int(s[1]) else: oport, port = '22', 22 if not host: usage_cb('host is empty') if port <= 0 or port > 65535: usage_cb('port {0} is not valid'.format(oport)) aconf.host = host aconf.port = port if not (aconf.ssh1 or aconf.ssh2): aconf.ssh1, aconf.ssh2 = True, True return aconf class Output(object): LEVELS = ['info', 'warn', 'fail'] COLORS = {'head': 36, 'good': 32, 'warn': 33, 'fail': 31} def __init__(self): # type: () -> None self.batch = False self.colors = True self.verbose = False self.__minlevel = 0 @property def minlevel(self): # type: () -> str if self.__minlevel < len(self.LEVELS): return self.LEVELS[self.__minlevel] return 'unknown' @minlevel.setter def minlevel(self, name): # type: (str) -> None self.__minlevel = self.getlevel(name) def getlevel(self, name): # type: (str) -> int cname = 'info' if name == 'good' else name if cname not in self.LEVELS: return sys.maxsize return self.LEVELS.index(cname) def sep(self): # type: () -> None if not self.batch: print() @property def colors_supported(self): # type: () -> bool return 'colorama' in sys.modules or os.name == 'posix' @staticmethod def _colorized(color): # type: (str) -> Callable[[text_type], None] return lambda x: print(u'{0}{1}\033[0m'.format(color, x)) def __getattr__(self, name): # type: (str) -> Callable[[text_type], None] if name == 'head' and self.batch: return lambda x: None if not self.getlevel(name) >= self.__minlevel: return lambda x: None if self.colors and self.colors_supported and name in self.COLORS: color = '\033[0;{0}m'.format(self.COLORS[name]) return self._colorized(color) else: return lambda x: print(u'{0}'.format(x)) class OutputBuffer(list): def __enter__(self): # type: () -> OutputBuffer # pylint: disable=attribute-defined-outside-init self.__buf = StringIO() self.__stdout = sys.stdout sys.stdout = self.__buf return self def flush(self): # type: () -> None for line in self: print(line) def __exit__(self, *args): # type: (*Any) -> None self.extend(self.__buf.getvalue().splitlines()) sys.stdout = self.__stdout class SSH2(object): # pylint: disable=too-few-public-methods class KexParty(object): def __init__(self, enc, mac, compression, languages): # type: (List[text_type], List[text_type], List[text_type], List[text_type]) -> None self.__enc = enc self.__mac = mac self.__compression = compression self.__languages = languages @property def encryption(self): # type: () -> List[text_type] return self.__enc @property def mac(self): # type: () -> List[text_type] return self.__mac @property def compression(self): # type: () -> List[text_type] return self.__compression @property def languages(self): # type: () -> List[text_type] return self.__languages class Kex(object): def __init__(self, cookie, kex_algs, key_algs, cli, srv, follows, unused=0): # type: (binary_type, List[text_type], List[text_type], SSH2.KexParty, SSH2.KexParty, bool, int) -> None self.__cookie = cookie self.__kex_algs = kex_algs self.__key_algs = key_algs self.__client = cli self.__server = srv self.__follows = follows self.__unused = unused @property def cookie(self): # type: () -> binary_type return self.__cookie @property def kex_algorithms(self): # type: () -> List[text_type] return self.__kex_algs @property def key_algorithms(self): # type: () -> List[text_type] return self.__key_algs # client_to_server @property def client(self): # type: () -> SSH2.KexParty return self.__client # server_to_client @property def server(self): # type: () -> SSH2.KexParty return self.__server @property def follows(self): # type: () -> bool return self.__follows @property def unused(self): # type: () -> int return self.__unused def write(self, wbuf): # type: (WriteBuf) -> None wbuf.write(self.cookie) wbuf.write_list(self.kex_algorithms) wbuf.write_list(self.key_algorithms) wbuf.write_list(self.client.encryption) wbuf.write_list(self.server.encryption) wbuf.write_list(self.client.mac) wbuf.write_list(self.server.mac) wbuf.write_list(self.client.compression) wbuf.write_list(self.server.compression) wbuf.write_list(self.client.languages) wbuf.write_list(self.server.languages) wbuf.write_bool(self.follows) wbuf.write_int(self.__unused) @property def payload(self): # type: () -> binary_type wbuf = WriteBuf() self.write(wbuf) return wbuf.write_flush() @classmethod def parse(cls, payload): # type: (binary_type) -> SSH2.Kex buf = ReadBuf(payload) cookie = buf.read(16) kex_algs = buf.read_list() key_algs = buf.read_list() cli_enc = buf.read_list() srv_enc = buf.read_list() cli_mac = buf.read_list() srv_mac = buf.read_list() cli_compression = buf.read_list() srv_compression = buf.read_list() cli_languages = buf.read_list() srv_languages = buf.read_list() follows = buf.read_bool() unused = buf.read_int() cli = SSH2.KexParty(cli_enc, cli_mac, cli_compression, cli_languages) srv = SSH2.KexParty(srv_enc, srv_mac, srv_compression, srv_languages) kex = cls(cookie, kex_algs, key_algs, cli, srv, follows, unused) return kex class SSH1(object): class CRC32(object): def __init__(self): # type: () -> None self._table = [0] * 256 for i in range(256): crc = 0 n = i for _ in range(8): x = (crc ^ n) & 1 crc = (crc >> 1) ^ (x * 0xedb88320) n = n >> 1 self._table[i] = crc def calc(self, v): # type: (binary_type) -> int crc, l = 0, len(v) for i in range(l): n = ord(v[i:i + 1]) n = n ^ (crc & 0xff) crc = (crc >> 8) ^ self._table[n] return crc _crc32 = None # type: Optional[SSH1.CRC32] CIPHERS = ['none', 'idea', 'des', '3des', 'tss', 'rc4', 'blowfish'] AUTHS = [None, 'rhosts', 'rsa', 'password', 'rhosts_rsa', 'tis', 'kerberos'] @classmethod def crc32(cls, v): # type: (binary_type) -> int if cls._crc32 is None: cls._crc32 = cls.CRC32() return cls._crc32.calc(v) class KexDB(object): # pylint: disable=too-few-public-methods # pylint: disable=bad-whitespace FAIL_PLAINTEXT = 'no encryption/integrity' FAIL_OPENSSH37_REMOVE = 'removed since OpenSSH 3.7' FAIL_NA_BROKEN = 'not implemented in OpenSSH, broken algorithm' FAIL_NA_UNSAFE = 'not implemented in OpenSSH (server), unsafe algorithm' TEXT_CIPHER_IDEA = 'cipher used by commercial SSH' ALGORITHMS = { 'key': { 'ssh-rsa1': [['1.2.2']], }, 'enc': { 'none': [['1.2.2'], [FAIL_PLAINTEXT]], 'idea': [[None], [], [], [TEXT_CIPHER_IDEA]], 'des': [['2.3.0C'], [FAIL_NA_UNSAFE]], '3des': [['1.2.2']], 'tss': [[''], [FAIL_NA_BROKEN]], 'rc4': [[], [FAIL_NA_BROKEN]], 'blowfish': [['1.2.2']], }, 'aut': { 'rhosts': [['1.2.2', '3.6'], [FAIL_OPENSSH37_REMOVE]], 'rsa': [['1.2.2']], 'password': [['1.2.2']], 'rhosts_rsa': [['1.2.2']], 'tis': [['1.2.2']], 'kerberos': [['1.2.2', '3.6'], [FAIL_OPENSSH37_REMOVE]], } } # type: Dict[str, Dict[str, List[List[str]]]] class PublicKeyMessage(object): def __init__(self, cookie, skey, hkey, pflags, cmask, amask): # type: (binary_type, Tuple[int, int, int], Tuple[int, int, int], int, int, int) -> None assert len(skey) == 3 assert len(hkey) == 3 self.__cookie = cookie self.__server_key = skey self.__host_key = hkey self.__protocol_flags = pflags self.__supported_ciphers_mask = cmask self.__supported_authentications_mask = amask @property def cookie(self): # type: () -> binary_type return self.__cookie @property def server_key_bits(self): # type: () -> int return self.__server_key[0] @property def server_key_public_exponent(self): # type: () -> int return self.__server_key[1] @property def server_key_public_modulus(self): # type: () -> int return self.__server_key[2] @property def host_key_bits(self): # type: () -> int return self.__host_key[0] @property def host_key_public_exponent(self): # type: () -> int return self.__host_key[1] @property def host_key_public_modulus(self): # type: () -> int return self.__host_key[2] @property def host_key_fingerprint_data(self): # type: () -> binary_type # pylint: disable=protected-access mod = WriteBuf._create_mpint(self.host_key_public_modulus, False) e = WriteBuf._create_mpint(self.host_key_public_exponent, False) return mod + e @property def protocol_flags(self): # type: () -> int return self.__protocol_flags @property def supported_ciphers_mask(self): # type: () -> int return self.__supported_ciphers_mask @property def supported_ciphers(self): # type: () -> List[text_type] ciphers = [] for i in range(len(SSH1.CIPHERS)): if self.__supported_ciphers_mask & (1 << i) != 0: ciphers.append(utils.to_utext(SSH1.CIPHERS[i])) return ciphers @property def supported_authentications_mask(self): # type: () -> int return self.__supported_authentications_mask @property def supported_authentications(self): # type: () -> List[text_type] auths = [] for i in range(1, len(SSH1.AUTHS)): if self.__supported_authentications_mask & (1 << i) != 0: auths.append(utils.to_utext(SSH1.AUTHS[i])) return auths def write(self, wbuf): # type: (WriteBuf) -> None wbuf.write(self.cookie) wbuf.write_int(self.server_key_bits) wbuf.write_mpint1(self.server_key_public_exponent) wbuf.write_mpint1(self.server_key_public_modulus) wbuf.write_int(self.host_key_bits) wbuf.write_mpint1(self.host_key_public_exponent) wbuf.write_mpint1(self.host_key_public_modulus) wbuf.write_int(self.protocol_flags) wbuf.write_int(self.supported_ciphers_mask) wbuf.write_int(self.supported_authentications_mask) @property def payload(self): # type: () -> binary_type wbuf = WriteBuf() self.write(wbuf) return wbuf.write_flush() @classmethod def parse(cls, payload): # type: (binary_type) -> SSH1.PublicKeyMessage buf = ReadBuf(payload) cookie = buf.read(8) server_key_bits = buf.read_int() server_key_exponent = buf.read_mpint1() server_key_modulus = buf.read_mpint1() skey = (server_key_bits, server_key_exponent, server_key_modulus) host_key_bits = buf.read_int() host_key_exponent = buf.read_mpint1() host_key_modulus = buf.read_mpint1() hkey = (host_key_bits, host_key_exponent, host_key_modulus) pflags = buf.read_int() cmask = buf.read_int() amask = buf.read_int() pkm = cls(cookie, skey, hkey, pflags, cmask, amask) return pkm class ReadBuf(object): def __init__(self, data=None): # type: (Optional[binary_type]) -> None super(ReadBuf, self).__init__() self._buf = BytesIO(data) if data else BytesIO() self._len = len(data) if data else 0 @property def unread_len(self): # type: () -> int return self._len - self._buf.tell() def read(self, size): # type: (int) -> binary_type return self._buf.read(size) def read_byte(self): # type: () -> int return struct.unpack('B', self.read(1))[0] def read_bool(self): # type: () -> bool return self.read_byte() != 0 def read_int(self): # type: () -> int return struct.unpack('>I', self.read(4))[0] def read_list(self): # type: () -> List[text_type] list_size = self.read_int() return self.read(list_size).decode('utf-8', 'replace').split(',') def read_string(self): # type: () -> binary_type n = self.read_int() return self.read(n) @classmethod def _parse_mpint(cls, v, pad, sf): # type: (binary_type, binary_type, str) -> int r = 0 if len(v) % 4: v = pad * (4 - (len(v) % 4)) + v for i in range(0, len(v), 4): r = (r << 32) | struct.unpack(sf, v[i:i + 4])[0] return r def read_mpint1(self): # type: () -> int # NOTE: Data Type Enc @ http://www.snailbook.com/docs/protocol-1.5.txt bits = struct.unpack('>H', self.read(2))[0] n = (bits + 7) // 8 return self._parse_mpint(self.read(n), b'\x00', '>I') def read_mpint2(self): # type: () -> int # NOTE: Section 5 @ https://www.ietf.org/rfc/rfc4251.txt v = self.read_string() if len(v) == 0: return 0 pad, sf = (b'\xff', '>i') if ord(v[0:1]) & 0x80 else (b'\x00', '>I') return self._parse_mpint(v, pad, sf) def read_line(self): # type: () -> text_type return self._buf.readline().rstrip().decode('utf-8', 'replace') class WriteBuf(object): def __init__(self, data=None): # type: (Optional[binary_type]) -> None super(WriteBuf, self).__init__() self._wbuf = BytesIO(data) if data else BytesIO() def write(self, data): # type: (binary_type) -> WriteBuf self._wbuf.write(data) return self def write_byte(self, v): # type: (int) -> WriteBuf return self.write(struct.pack('B', v)) def write_bool(self, v): # type: (bool) -> WriteBuf return self.write_byte(1 if v else 0) def write_int(self, v): # type: (int) -> WriteBuf return self.write(struct.pack('>I', v)) def write_string(self, v): # type: (Union[binary_type, text_type]) -> WriteBuf if not isinstance(v, bytes): v = bytes(bytearray(v, 'utf-8')) self.write_int(len(v)) return self.write(v) def write_list(self, v): # type: (List[text_type]) -> WriteBuf return self.write_string(u','.join(v)) @classmethod def _bitlength(cls, n): # type: (int) -> int try: return n.bit_length() except AttributeError: return len(bin(n)) - (2 if n > 0 else 3) @classmethod def _create_mpint(cls, n, signed=True, bits=None): # type: (int, bool, Optional[int]) -> binary_type if bits is None: bits = cls._bitlength(n) length = bits // 8 + (1 if n != 0 else 0) ql = (length + 7) // 8 fmt, v2 = '>{0}Q'.format(ql), [0] * ql for i in range(ql): v2[ql - i - 1] = (n & 0xffffffffffffffff) n >>= 64 data = bytes(struct.pack(fmt, *v2)[-length:]) if not signed: data = data.lstrip(b'\x00') elif data.startswith(b'\xff\x80'): data = data[1:] return data def write_mpint1(self, n): # type: (int) -> WriteBuf # NOTE: Data Type Enc @ http://www.snailbook.com/docs/protocol-1.5.txt bits = self._bitlength(n) data = self._create_mpint(n, False, bits) self.write(struct.pack('>H', bits)) return self.write(data) def write_mpint2(self, n): # type: (int) -> WriteBuf # NOTE: Section 5 @ https://www.ietf.org/rfc/rfc4251.txt data = self._create_mpint(n) return self.write_string(data) def write_line(self, v): # type: (Union[binary_type, str]) -> WriteBuf if not isinstance(v, bytes): v = bytes(bytearray(v, 'utf-8')) v += b'\r\n' return self.write(v) def write_flush(self): # type: () -> binary_type payload = self._wbuf.getvalue() self._wbuf.truncate(0) self._wbuf.seek(0) return payload class SSH(object): # pylint: disable=too-few-public-methods class Protocol(object): # pylint: disable=too-few-public-methods # pylint: disable=bad-whitespace SMSG_PUBLIC_KEY = 2 MSG_KEXINIT = 20 MSG_NEWKEYS = 21 MSG_KEXDH_INIT = 30 MSG_KEXDH_REPLY = 32 class Product(object): # pylint: disable=too-few-public-methods OpenSSH = 'OpenSSH' DropbearSSH = 'Dropbear SSH' LibSSH = 'libssh' class Software(object): def __init__(self, vendor, product, version, patch, os_version): # type: (Optional[str], str, str, Optional[str], Optional[str]) -> None self.__vendor = vendor self.__product = product self.__version = version self.__patch = patch self.__os = os_version @property def vendor(self): # type: () -> Optional[str] return self.__vendor @property def product(self): # type: () -> str return self.__product @property def version(self): # type: () -> str return self.__version @property def patch(self): # type: () -> Optional[str] return self.__patch @property def os(self): # type: () -> Optional[str] return self.__os def compare_version(self, other): # type: (Union[None, SSH.Software, text_type]) -> int # pylint: disable=too-many-branches if other is None: return 1 if isinstance(other, SSH.Software): other = '{0}{1}'.format(other.version, other.patch or '') else: other = str(other) mx = re.match(r'^([\d\.]+\d+)(.*)$', other) if mx: oversion, opatch = mx.group(1), mx.group(2).strip() else: oversion, opatch = other, '' if self.version < oversion: return -1 elif self.version > oversion: return 1 spatch = self.patch or '' if self.product == SSH.Product.DropbearSSH: if not re.match(r'^test\d.*$', opatch): opatch = 'z{0}'.format(opatch) if not re.match(r'^test\d.*$', spatch): spatch = 'z{0}'.format(spatch) elif self.product == SSH.Product.OpenSSH: mx1 = re.match(r'^p\d(.*)', opatch) mx2 = re.match(r'^p\d(.*)', spatch) if not (mx1 and mx2): if mx1: opatch = mx1.group(1) if mx2: spatch = mx2.group(1) if spatch < opatch: return -1 elif spatch > opatch: return 1 return 0 def between_versions(self, vfrom, vtill): # type: (str, str) -> bool if vfrom and self.compare_version(vfrom) < 0: return False if vtill and self.compare_version(vtill) > 0: return False return True def display(self, full=True): # type: (bool) -> str r = '{0} '.format(self.vendor) if self.vendor else '' r += self.product if self.version: r += ' {0}'.format(self.version) if full: patch = self.patch or '' if self.product == SSH.Product.OpenSSH: mx = re.match(r'^(p\d)(.*)$', patch) if mx is not None: r += mx.group(1) patch = mx.group(2).strip() if patch: r += ' ({0})'.format(patch) if self.os: r += ' running on {0}'.format(self.os) return r def __str__(self): # type: () -> str return self.display() def __repr__(self): # type: () -> str r = 'vendor={0}'.format(self.vendor) if self.vendor else '' if self.product: if self.vendor: r += ', ' r += 'product={0}'.format(self.product) if self.version: r += ', version={0}'.format(self.version) if self.patch: r += ', patch={0}'.format(self.patch) if self.os: r += ', os={0}'.format(self.os) return '<{0}({1})>'.format(self.__class__.__name__, r) @staticmethod def _fix_patch(patch): # type: (str) -> Optional[str] return re.sub(r'^[-_\.]+', '', patch) or None @staticmethod def _fix_date(d): # type: (str) -> Optional[str] if d is not None and len(d) == 8: return '{0}-{1}-{2}'.format(d[:4], d[4:6], d[6:8]) else: return None @classmethod def _extract_os_version(cls, c): # type: (Optional[str]) -> str if c is None: return None mx = re.match(r'^NetBSD(?:_Secure_Shell)?(?:[\s-]+(\d{8})(.*))?$', c) if mx: d = cls._fix_date(mx.group(1)) return 'NetBSD' if d is None else 'NetBSD ({0})'.format(d) mx = re.match(r'^FreeBSD(?:\slocalisations)?[\s-]+(\d{8})(.*)$', c) if not mx: mx = re.match(r'^[^@]+@FreeBSD\.org[\s-]+(\d{8})(.*)$', c) if mx: d = cls._fix_date(mx.group(1)) return 'FreeBSD' if d is None else 'FreeBSD ({0})'.format(d) w = ['RemotelyAnywhere', 'DesktopAuthority', 'RemoteSupportManager'] for win_soft in w: mx = re.match(r'^in ' + win_soft + r' ([\d\.]+\d)$', c) if mx: ver = mx.group(1) return 'Microsoft Windows ({0} {1})'.format(win_soft, ver) generic = ['NetBSD', 'FreeBSD'] for g in generic: if c.startswith(g) or c.endswith(g): return g return None @classmethod def parse(cls, banner): # type: (SSH.Banner) -> SSH.Software # pylint: disable=too-many-return-statements software = str(banner.software) mx = re.match(r'^dropbear_([\d\.]+\d+)(.*)', software) if mx: patch = cls._fix_patch(mx.group(2)) v, p = 'Matt Johnston', SSH.Product.DropbearSSH v = None return cls(v, p, mx.group(1), patch, None) mx = re.match(r'^OpenSSH[_\.-]+([\d\.]+\d+)(.*)', software) if mx: patch = cls._fix_patch(mx.group(2)) v, p = 'OpenBSD', SSH.Product.OpenSSH v = None os_version = cls._extract_os_version(banner.comments) return cls(v, p, mx.group(1), patch, os_version) mx = re.match(r'^libssh-([\d\.]+\d+)(.*)', software) if mx: patch = cls._fix_patch(mx.group(2)) v, p = None, SSH.Product.LibSSH os_version = cls._extract_os_version(banner.comments) return cls(v, p, mx.group(1), patch, os_version) mx = re.match(r'^RomSShell_([\d\.]+\d+)(.*)', software) if mx: patch = cls._fix_patch(mx.group(2)) v, p = 'Allegro Software', 'RomSShell' return cls(v, p, mx.group(1), patch, None) mx = re.match(r'^mpSSH_([\d\.]+\d+)', software) if mx: v, p = 'HP', 'iLO (Integrated Lights-Out) sshd' return cls(v, p, mx.group(1), None, None) mx = re.match(r'^Cisco-([\d\.]+\d+)', software) if mx: v, p = 'Cisco', 'IOS/PIX sshd' return cls(v, p, mx.group(1), None, None) return None class Banner(object): _RXP, _RXR = r'SSH-\d\.\s*?\d+', r'(-\s*([^\s]*)(?:\s+(.*))?)?' RX_PROTOCOL = re.compile(re.sub(r'\\d(\+?)', r'(\\d\g<1>)', _RXP)) RX_BANNER = re.compile(r'^({0}(?:(?:-{0})*)){1}$'.format(_RXP, _RXR)) def __init__(self, protocol, software, comments, valid_ascii): # type: (Tuple[int, int], str, str, bool) -> None self.__protocol = protocol self.__software = software self.__comments = comments self.__valid_ascii = valid_ascii @property def protocol(self): # type: () -> Tuple[int, int] return self.__protocol @property def software(self): # type: () -> str return self.__software @property def comments(self): # type: () -> str return self.__comments @property def valid_ascii(self): # type: () -> bool return self.__valid_ascii def __str__(self): # type: () -> str r = 'SSH-{0}.{1}'.format(self.protocol[0], self.protocol[1]) if self.software is not None: r += '-{0}'.format(self.software) if self.comments: r += ' {0}'.format(self.comments) return r def __repr__(self): # type: () -> str p = '{0}.{1}'.format(self.protocol[0], self.protocol[1]) r = 'protocol={0}'.format(p) if self.software: r += ', software={0}'.format(self.software) if self.comments: r += ', comments={0}'.format(self.comments) return '<{0}({1})>'.format(self.__class__.__name__, r) @classmethod def parse(cls, banner): # type: (text_type) -> SSH.Banner valid_ascii = utils.is_ascii(banner) ascii_banner = utils.to_ascii(banner) mx = cls.RX_BANNER.match(ascii_banner) if mx is None: return None protocol = min(re.findall(cls.RX_PROTOCOL, mx.group(1))) protocol = (int(protocol[0]), int(protocol[1])) software = (mx.group(3) or '').strip() or None if software is None and (mx.group(2) or '').startswith('-'): software = '' comments = (mx.group(4) or '').strip() or None if comments is not None: comments = re.sub(r'\s+', ' ', comments) return cls(protocol, software, comments, valid_ascii) class Fingerprint(object): def __init__(self, fpd): # type: (binary_type) -> None self.__fpd = fpd @property def md5(self): # type: () -> text_type h = hashlib.md5(self.__fpd).hexdigest() r = u':'.join(h[i:i + 2] for i in range(0, len(h), 2)) return u'MD5:{0}'.format(r) @property def sha256(self): # type: () -> text_type h = base64.b64encode(hashlib.sha256(self.__fpd).digest()) r = h.decode('ascii').rstrip('=') return u'SHA256:{0}'.format(r) class Security(object): # pylint: disable=too-few-public-methods # pylint: disable=bad-whitespace CVE = { 'Dropbear SSH': [ ['0.44', '2015.71', 1, 'CVE-2016-3116', 5.5, 'bypass command restrictions via xauth command injection'], ['0.28', '2013.58', 1, 'CVE-2013-4434', 5.0, 'discover valid usernames through different time delays'], ['0.28', '2013.58', 1, 'CVE-2013-4421', 5.0, 'cause DoS (memory consumption) via a compressed packet'], ['0.52', '2011.54', 1, 'CVE-2012-0920', 7.1, 'execute arbitrary code or bypass command restrictions'], ['0.40', '0.48.1', 1, 'CVE-2007-1099', 7.5, 'conduct a MitM attack (no warning for hostkey mismatch)'], ['0.28', '0.47', 1, 'CVE-2006-1206', 7.5, 'cause DoS (slot exhaustion) via large number of connections'], ['0.39', '0.47', 1, 'CVE-2006-0225', 4.6, 'execute arbitrary commands via scp with crafted filenames'], ['0.28', '0.46', 1, 'CVE-2005-4178', 6.5, 'execute arbitrary code via buffer overflow vulnerability'], ['0.28', '0.42', 1, 'CVE-2004-2486', 7.5, 'execute arbitrary code via DSS verification code']], 'libssh': [ ['0.1', '0.7.2', 1, 'CVE-2016-0739', 4.3, 'conduct a MitM attack (weakness in DH key generation)'], ['0.5.1', '0.6.4', 1, 'CVE-2015-3146', 5.0, 'cause DoS via kex packets (null pointer dereference)'], ['0.5.1', '0.6.3', 1, 'CVE-2014-8132', 5.0, 'cause DoS via kex init packet (dangling pointer)'], ['0.4.7', '0.6.2', 1, 'CVE-2014-0017', 1.9, 'leak data via PRNG state reuse on forking servers'], ['0.4.7', '0.5.3', 1, 'CVE-2013-0176', 4.3, 'cause DoS via kex packet (null pointer dereference)'], ['0.4.7', '0.5.2', 1, 'CVE-2012-6063', 7.5, 'cause DoS or execute arbitrary code via sftp (double free)'], ['0.4.7', '0.5.2', 1, 'CVE-2012-4562', 7.5, 'cause DoS or execute arbitrary code (overflow check)'], ['0.4.7', '0.5.2', 1, 'CVE-2012-4561', 5.0, 'cause DoS via unspecified vectors (invalid pointer)'], ['0.4.7', '0.5.2', 1, 'CVE-2012-4560', 7.5, 'cause DoS or execute arbitrary code (buffer overflow)'], ['0.4.7', '0.5.2', 1, 'CVE-2012-4559', 6.8, 'cause DoS or execute arbitrary code (double free)']] } # type: Dict[str, List[List[Any]]] TXT = { 'Dropbear SSH': [ ['0.28', '0.34', 1, 'remote root exploit', 'remote format string buffer overflow exploit (exploit-db#387)']], 'libssh': [ ['0.3.3', '0.3.3', 1, 'null pointer check', 'missing null pointer check in "crypt_set_algorithms_server"'], ['0.3.3', '0.3.3', 1, 'integer overflow', 'integer overflow in "buffer_get_data"'], ['0.3.3', '0.3.3', 3, 'heap overflow', 'heap overflow in "packet_decrypt"']] } # type: Dict[str, List[List[Any]]] class Socket(ReadBuf, WriteBuf): class InsufficientReadException(Exception): pass SM_BANNER_SENT = 1 def __init__(self, host, port): # type: (str, int) -> None super(SSH.Socket, self).__init__() self.__block_size = 8 self.__state = 0 self.__header = [] # type: List[text_type] self.__banner = None # type: Optional[SSH.Banner] self.__host = host self.__port = port self.__sock = None # type: socket.socket def __enter__(self): # type: () -> SSH.Socket return self def _resolve(self, ipvo): # type: (Sequence[int]) -> Iterable[Tuple[int, Tuple[Any, ...]]] ipvo = tuple(filter(lambda x: x in (4, 6), utils.unique_seq(ipvo))) ipvo_len = len(ipvo) prefer_ipvo = ipvo_len > 0 prefer_ipv4 = prefer_ipvo and ipvo[0] == 4 if len(ipvo) == 1: family = {4: socket.AF_INET, 6: socket.AF_INET6}.get(ipvo[0]) else: family = socket.AF_UNSPEC try: stype = socket.SOCK_STREAM r = socket.getaddrinfo(self.__host, self.__port, family, stype) if prefer_ipvo: r = sorted(r, key=lambda x: x[0], reverse=not prefer_ipv4) check = any(stype == rline[2] for rline in r) for (af, socktype, proto, canonname, addr) in r: if not check or socktype == socket.SOCK_STREAM: yield (af, addr) except socket.error as e: out.fail('[exception] {0}'.format(e)) sys.exit(1) def connect(self, ipvo=(), cto=3.0, rto=5.0): # type: (Sequence[int], float, float) -> None err = None for (af, addr) in self._resolve(ipvo): s = None try: s = socket.socket(af, socket.SOCK_STREAM) s.settimeout(cto) s.connect(addr) s.settimeout(rto) self.__sock = s return except socket.error as e: err = e self._close_socket(s) if err is None: errm = 'host {0} has no DNS records'.format(self.__host) else: errt = (self.__host, self.__port, err) errm = 'cannot connect to {0} port {1}: {2}'.format(*errt) out.fail('[exception] {0}'.format(errm)) sys.exit(1) def get_banner(self, sshv=2): # type: (int) -> Tuple[Optional[SSH.Banner], List[text_type]] banner = 'SSH-{0}-OpenSSH_7.3'.format('1.5' if sshv == 1 else '2.0') rto = self.__sock.gettimeout() self.__sock.settimeout(0.7) s, e = self.recv() self.__sock.settimeout(rto) if s < 0: return self.__banner, self.__header if self.__state < self.SM_BANNER_SENT: self.send_banner(banner) while self.__banner is None: if not s > 0: s, e = self.recv() if s < 0: break while self.__banner is None and self.unread_len > 0: line = self.read_line() if len(line.strip()) == 0: continue if self.__banner is None: self.__banner = SSH.Banner.parse(line) if self.__banner is not None: continue self.__header.append(line) s = 0 return self.__banner, self.__header def recv(self, size=2048): # type: (int) -> Tuple[int, Optional[str]] try: data = self.__sock.recv(size) except socket.timeout: return (-1, 'timeout') except socket.error as e: if e.args[0] in (errno.EAGAIN, errno.EWOULDBLOCK): return (0, 'retry') return (-1, str(e.args[-1])) if len(data) == 0: return (-1, None) pos = self._buf.tell() self._buf.seek(0, 2) self._buf.write(data) self._len += len(data) self._buf.seek(pos, 0) return (len(data), None) def send(self, data): # type: (binary_type) -> Tuple[int, Optional[str]] try: self.__sock.send(data) return (0, None) except socket.error as e: return (-1, str(e.args[-1])) self.__sock.send(data) def send_banner(self, banner): # type: (str) -> None self.send(banner.encode() + b'\r\n') if self.__state < self.SM_BANNER_SENT: self.__state = self.SM_BANNER_SENT def ensure_read(self, size): # type: (int) -> None while self.unread_len < size: s, e = self.recv() if s < 0: raise SSH.Socket.InsufficientReadException(e) def read_packet(self, sshv=2): # type: (int) -> Tuple[int, binary_type] try: header = WriteBuf() self.ensure_read(4) packet_length = self.read_int() header.write_int(packet_length) # XXX: validate length if sshv == 1: padding_length = (8 - packet_length % 8) self.ensure_read(padding_length) padding = self.read(padding_length) header.write(padding) payload_length = packet_length check_size = padding_length + payload_length else: self.ensure_read(1) padding_length = self.read_byte() header.write_byte(padding_length) payload_length = packet_length - padding_length - 1 check_size = 4 + 1 + payload_length + padding_length if check_size % self.__block_size != 0: out.fail('[exception] invalid ssh packet (block size)') sys.exit(1) self.ensure_read(payload_length) if sshv == 1: payload = self.read(payload_length - 4) header.write(payload) crc = self.read_int() header.write_int(crc) else: payload = self.read(payload_length) header.write(payload) packet_type = ord(payload[0:1]) if sshv == 1: rcrc = SSH1.crc32(padding + payload) if crc != rcrc: out.fail('[exception] packet checksum CRC32 mismatch.') sys.exit(1) else: self.ensure_read(padding_length) padding = self.read(padding_length) payload = payload[1:] return packet_type, payload except SSH.Socket.InsufficientReadException as ex: if ex.args[0] is None: header.write(self.read(self.unread_len)) e = header.write_flush().strip() else: e = ex.args[0].encode('utf-8') return (-1, e) def send_packet(self): # type: () -> Tuple[int, Optional[str]] payload = self.write_flush() padding = -(len(payload) + 5) % 8 if padding < 4: padding += 8 plen = len(payload) + padding + 1 pad_bytes = b'\x00' * padding data = struct.pack('>Ib', plen, padding) + payload + pad_bytes return self.send(data) def _close_socket(self, s): # type: (Optional[socket.socket]) -> None try: if s is not None: s.shutdown(socket.SHUT_RDWR) s.close() except: # pylint: disable=bare-except pass def __del__(self): # type: () -> None self.__cleanup() def __exit__(self, *args): # type: (*Any) -> None self.__cleanup() def __cleanup(self): # type: () -> None self._close_socket(self.__sock) class KexDH(object): def __init__(self, alg, g, p): # type: (str, int, int) -> None self.__alg = alg self.__g = g self.__p = p self.__q = (self.__p - 1) // 2 self.__x = None # type: Optional[int] self.__e = None # type: Optional[int] def send_init(self, s): # type: (SSH.Socket) -> None r = random.SystemRandom() self.__x = r.randrange(2, self.__q) self.__e = pow(self.__g, self.__x, self.__p) s.write_byte(SSH.Protocol.MSG_KEXDH_INIT) s.write_mpint2(self.__e) s.send_packet() class KexGroup1(KexDH): def __init__(self): # type: () -> None # rfc2409: second oakley group p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67' 'cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6d' 'f25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff' '5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece65381' 'ffffffffffffffff', 16) super(KexGroup1, self).__init__('sha1', 2, p) class KexGroup14(KexDH): def __init__(self): # type: () -> None # rfc3526: 2048-bit modp group p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67' 'cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6d' 'f25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff' '5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3d' 'c2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3' 'ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08' 'ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c5' '5df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa0510' '15728e5a8aacaa68ffffffffffffffff', 16) super(KexGroup14, self).__init__('sha1', 2, p) class KexDB(object): # pylint: disable=too-few-public-methods # pylint: disable=bad-whitespace WARN_OPENSSH72_LEGACY = 'disabled (in client) since OpenSSH 7.2, legacy algorithm' FAIL_OPENSSH70_LEGACY = 'removed since OpenSSH 7.0, legacy algorithm' FAIL_OPENSSH70_WEAK = 'removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm' FAIL_OPENSSH70_LOGJAM = 'disabled (in client) since OpenSSH 7.0, logjam attack' INFO_OPENSSH69_CHACHA = 'default cipher since OpenSSH 6.9.' FAIL_OPENSSH67_UNSAFE = 'removed (in server) since OpenSSH 6.7, unsafe algorithm' FAIL_OPENSSH61_REMOVE = 'removed since OpenSSH 6.1, removed from specification' FAIL_OPENSSH31_REMOVE = 'removed since OpenSSH 3.1' FAIL_DBEAR67_DISABLED = 'disabled since Dropbear SSH 2015.67' FAIL_DBEAR53_DISABLED = 'disabled since Dropbear SSH 0.53' FAIL_PLAINTEXT = 'no encryption/integrity' WARN_CURVES_WEAK = 'using weak elliptic curves' WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key' WARN_MODULUS_SIZE = 'using small 1024-bit modulus' WARN_MODULUS_CUSTOM = 'using custom size modulus (possibly weak)' WARN_HASH_WEAK = 'using weak hashing algorithm' WARN_CIPHER_MODE = 'using weak cipher mode' WARN_BLOCK_SIZE = 'using small 64-bit block size' WARN_CIPHER_WEAK = 'using weak cipher' WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode' WARN_TAG_SIZE = 'using small 64-bit tag size' ALGORITHMS = { 'kex': { 'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_OPENSSH67_UNSAFE, FAIL_OPENSSH70_LOGJAM], [WARN_MODULUS_SIZE, WARN_HASH_WEAK]], 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [], [WARN_HASH_WEAK]], 'diffie-hellman-group14-sha256': [['7.3,d2016.73']], 'diffie-hellman-group16-sha512': [['7.3,d2016.73']], 'diffie-hellman-group18-sha512': [['7.3']], 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]], 'diffie-hellman-group-exchange-sha256': [['4.4'], [], [WARN_MODULUS_CUSTOM]], 'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [WARN_CURVES_WEAK]], 'ecdh-sha2-nistp384': [['5.7,d2013.62'], [WARN_CURVES_WEAK]], 'ecdh-sha2-nistp521': [['5.7,d2013.62'], [WARN_CURVES_WEAK]], 'curve25519-sha256@libssh.org': [['6.5,d2013.62,l10.6.0']], 'kexguess2@matt.ucc.asn.au': [['d2013.57']], }, 'key': { 'rsa-sha2-256': [['7.2']], 'rsa-sha2-512': [['7.2']], 'ssh-ed25519': [['6.5,l10.7.0']], 'ssh-ed25519-cert-v01@openssh.com': [['6.5']], 'ssh-rsa': [['2.5.0,d0.28,l10.2']], 'ssh-dss': [['2.1.0,d0.28,l10.2', '6.9'], [FAIL_OPENSSH70_WEAK], [WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp256': [['5.7,d2013.62,l10.6.4'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp384': [['5.7,d2013.62,l10.6.4'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp521': [['5.7,d2013.62,l10.6.4'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'ssh-rsa-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_OPENSSH70_LEGACY], []], 'ssh-dss-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_OPENSSH70_LEGACY], [WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]], 'ssh-rsa-cert-v01@openssh.com': [['5.6']], 'ssh-dss-cert-v01@openssh.com': [['5.6', '6.9'], [FAIL_OPENSSH70_WEAK], [WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp256-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp521-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], }, 'enc': { 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]], '3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], '3des-ctr': [['d0.52']], 'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'twofish-cbc': [['d0.28', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]], 'twofish128-cbc': [['d0.47', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]], 'twofish256-cbc': [['d0.47', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]], 'twofish128-ctr': [['d2015.68']], 'twofish256-ctr': [['d2015.68']], 'cast128-cbc': [['2.1.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'arcfour': [['2.1.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_WEAK]], 'arcfour128': [['4.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_WEAK]], 'arcfour256': [['4.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_WEAK]], 'aes128-cbc': [['2.3.0,d0.28,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_CIPHER_MODE]], 'aes192-cbc': [['2.3.0,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_CIPHER_MODE]], 'aes256-cbc': [['2.3.0,d0.47,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_CIPHER_MODE]], 'rijndael128-cbc': [['2.3.0', '3.0.2'], [FAIL_OPENSSH31_REMOVE], [WARN_CIPHER_MODE]], 'rijndael192-cbc': [['2.3.0', '3.0.2'], [FAIL_OPENSSH31_REMOVE], [WARN_CIPHER_MODE]], 'rijndael256-cbc': [['2.3.0', '3.0.2'], [FAIL_OPENSSH31_REMOVE], [WARN_CIPHER_MODE]], 'rijndael-cbc@lysator.liu.se': [['2.3.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE]], 'aes128-ctr': [['3.7,d0.52,l10.4.1']], 'aes192-ctr': [['3.7,l10.4.1']], 'aes256-ctr': [['3.7,d0.52,l10.4.1']], 'aes128-gcm@openssh.com': [['6.2']], 'aes256-gcm@openssh.com': [['6.2']], 'chacha20-poly1305@openssh.com': [['6.5'], [], [], [INFO_OPENSSH69_CHACHA]], }, 'mac': { 'none': [['d2013.56'], [FAIL_PLAINTEXT]], 'hmac-sha1': [['2.1.0,d0.28,l10.2'], [], [WARN_ENCRYPT_AND_MAC, WARN_HASH_WEAK]], 'hmac-sha1-96': [['2.5.0,d0.47', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC, WARN_HASH_WEAK]], 'hmac-sha2-256': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]], 'hmac-sha2-256-96': [['5.9', '6.0'], [FAIL_OPENSSH61_REMOVE], [WARN_ENCRYPT_AND_MAC]], 'hmac-sha2-512': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]], 'hmac-sha2-512-96': [['5.9', '6.0'], [FAIL_OPENSSH61_REMOVE], [WARN_ENCRYPT_AND_MAC]], 'hmac-md5': [['2.1.0,d0.28', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC, WARN_HASH_WEAK]], 'hmac-md5-96': [['2.5.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC, WARN_HASH_WEAK]], 'hmac-ripemd160': [['2.5.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC]], 'hmac-ripemd160@openssh.com': [['2.1.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC]], 'umac-64@openssh.com': [['4.7'], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]], 'umac-128@openssh.com': [['6.2'], [], [WARN_ENCRYPT_AND_MAC]], 'hmac-sha1-etm@openssh.com': [['6.2'], [], [WARN_HASH_WEAK]], 'hmac-sha1-96-etm@openssh.com': [['6.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]], 'hmac-sha2-256-etm@openssh.com': [['6.2']], 'hmac-sha2-512-etm@openssh.com': [['6.2']], 'hmac-md5-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_HASH_WEAK]], 'hmac-md5-96-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_HASH_WEAK]], 'hmac-ripemd160-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY]], 'umac-64-etm@openssh.com': [['6.2'], [], [WARN_TAG_SIZE]], 'umac-128-etm@openssh.com': [['6.2']], } } # type: Dict[str, Dict[str, List[List[str]]]] def get_ssh_version(version_desc): # type: (str) -> Tuple[str, str] if version_desc.startswith('d'): return (SSH.Product.DropbearSSH, version_desc[1:]) elif version_desc.startswith('l1'): return (SSH.Product.LibSSH, version_desc[2:]) else: return (SSH.Product.OpenSSH, version_desc) def get_alg_timeframe(versions, for_server=True, result=None): # type: (List[str], bool, Optional[Dict[str, List[Optional[str]]]]) -> Dict[str, List[Optional[str]]] result = result or {} vlen = len(versions) for i in range(3): if i > vlen - 1: if i == 2 and vlen > 1: cversions = versions[1] else: continue else: cversions = versions[i] if cversions is None: continue for v in cversions.split(','): ssh_prefix, ssh_version = get_ssh_version(v) if not ssh_version: continue if ssh_version.endswith('C'): if for_server: continue ssh_version = ssh_version[:-1] if ssh_prefix not in result: result[ssh_prefix] = [None, None, None] prev, push = result[ssh_prefix][i], False if prev is None: push = True elif i == 0 and prev < ssh_version: push = True elif i > 0 and prev > ssh_version: push = True if push: result[ssh_prefix][i] = ssh_version return result def get_ssh_timeframe(alg_pairs, for_server=True): # type: (List[Tuple[int, Dict[str, Dict[str, List[List[str]]]], List[Tuple[str, List[text_type]]]]], bool) -> Dict[str, List[Optional[str]]] timeframe = {} # type: Dict[str, List[Optional[str]]] for alg_pair in alg_pairs: alg_db = alg_pair[1] for alg_set in alg_pair[2]: alg_type, alg_list = alg_set for alg_name in alg_list: alg_name_native = utils.to_ntext(alg_name) alg_desc = alg_db[alg_type].get(alg_name_native) if alg_desc is None: continue versions = alg_desc[0] timeframe = get_alg_timeframe(versions, for_server, timeframe) return timeframe def get_alg_since_text(versions): # type: (List[str]) -> text_type tv = [] if len(versions) == 0 or versions[0] is None: return None for v in versions[0].split(','): ssh_prefix, ssh_version = get_ssh_version(v) if not ssh_version: continue if ssh_prefix in [SSH.Product.LibSSH]: continue if ssh_version.endswith('C'): ssh_version = '{0} (client only)'.format(ssh_version[:-1]) tv.append('{0} {1}'.format(ssh_prefix, ssh_version)) if len(tv) == 0: return None return 'available since ' + ', '.join(tv).rstrip(', ') def get_alg_pairs(kex, pkm): # type: (Optional[SSH2.Kex], Optional[SSH1.PublicKeyMessage]) -> List[Tuple[int, Dict[str, Dict[str, List[List[str]]]], List[Tuple[str, List[text_type]]]]] alg_pairs = [] if pkm is not None: alg_pairs.append((1, SSH1.KexDB.ALGORITHMS, [('key', [u'ssh-rsa1']), ('enc', pkm.supported_ciphers), ('aut', pkm.supported_authentications)])) if kex is not None: alg_pairs.append((2, KexDB.ALGORITHMS, [('kex', kex.kex_algorithms), ('key', kex.key_algorithms), ('enc', kex.server.encryption), ('mac', kex.server.mac)])) return alg_pairs def get_alg_recommendations(software, kex, pkm, for_server=True): # type: (SSH.Software, SSH2.Kex, SSH1.PublicKeyMessage, bool) -> Tuple[SSH.Software, Dict[int, Dict[str, Dict[str, Dict[str, int]]]]] # pylint: disable=too-many-locals,too-many-statements alg_pairs = get_alg_pairs(kex, pkm) vproducts = [SSH.Product.OpenSSH, SSH.Product.DropbearSSH, SSH.Product.LibSSH] if software is not None: if software.product not in vproducts: software = None if software is None: ssh_timeframe = get_ssh_timeframe(alg_pairs, for_server) for product in vproducts: if product not in ssh_timeframe: continue version = ssh_timeframe[product][0] if version is not None: software = SSH.Software(None, product, version, None, None) break rec = {} # type: Dict[int, Dict[str, Dict[str, Dict[str, int]]]] if software is None: return software, rec for alg_pair in alg_pairs: sshv, alg_db = alg_pair[0], alg_pair[1] rec[sshv] = {} for alg_set in alg_pair[2]: alg_type, alg_list = alg_set if alg_type == 'aut': continue rec[sshv][alg_type] = {'add': {}, 'del': {}} for n, alg_desc in alg_db[alg_type].items(): if alg_type == 'key' and '-cert-' in n: continue versions = alg_desc[0] if len(versions) == 0 or versions[0] is None: continue matches = False for v in versions[0].split(','): ssh_prefix, ssh_version = get_ssh_version(v) if not ssh_version: continue if ssh_prefix != software.product: continue if ssh_version.endswith('C'): if for_server: continue ssh_version = ssh_version[:-1] if software.compare_version(ssh_version) < 0: continue matches = True break if not matches: continue adl, faults = len(alg_desc), 0 for i in range(1, 3): if not adl > i: continue fc = len(alg_desc[i]) if fc > 0: faults += pow(10, 2 - i) * fc if n not in alg_list: if faults > 0: continue rec[sshv][alg_type]['add'][n] = 0 else: if faults == 0: continue if n == 'diffie-hellman-group-exchange-sha256': if software.compare_version('7.3') < 0: continue rec[sshv][alg_type]['del'][n] = faults add_count = len(rec[sshv][alg_type]['add']) del_count = len(rec[sshv][alg_type]['del']) new_alg_count = len(alg_list) + add_count - del_count if new_alg_count < 1 and del_count > 0: mf = min(rec[sshv][alg_type]['del'].values()) new_del = {} for k, cf in rec[sshv][alg_type]['del'].items(): if cf != mf: new_del[k] = cf if del_count != len(new_del): rec[sshv][alg_type]['del'] = new_del new_alg_count += del_count - len(new_del) if new_alg_count < 1: del rec[sshv][alg_type] else: if add_count == 0: del rec[sshv][alg_type]['add'] if del_count == 0: del rec[sshv][alg_type]['del'] if len(rec[sshv][alg_type]) == 0: del rec[sshv][alg_type] if len(rec[sshv]) == 0: del rec[sshv] return software, rec def output_algorithms(title, alg_db, alg_type, algorithms, maxlen=0): # type: (str, Dict[str, Dict[str, List[List[str]]]], str, List[text_type], int) -> None with OutputBuffer() as obuf: for algorithm in algorithms: output_algorithm(alg_db, alg_type, algorithm, maxlen) if len(obuf) > 0: out.head('# ' + title) obuf.flush() out.sep() def output_algorithm(alg_db, alg_type, alg_name, alg_max_len=0): # type: (Dict[str, Dict[str, List[List[str]]]], str, text_type, int) -> None prefix = '(' + alg_type + ') ' if alg_max_len == 0: alg_max_len = len(alg_name) padding = '' if out.batch else ' ' * (alg_max_len - len(alg_name)) texts = [] if len(alg_name.strip()) == 0: return alg_name_native = utils.to_ntext(alg_name) if alg_name_native in alg_db[alg_type]: alg_desc = alg_db[alg_type][alg_name_native] ldesc = len(alg_desc) for idx, level in enumerate(['fail', 'warn', 'info']): if level == 'info': versions = alg_desc[0] since_text = get_alg_since_text(versions) if since_text: texts.append((level, since_text)) idx = idx + 1 if ldesc > idx: for t in alg_desc[idx]: texts.append((level, t)) if len(texts) == 0: texts.append(('info', '')) else: texts.append(('warn', 'unknown algorithm')) first = True for (level, text) in texts: f = getattr(out, level) text = '[' + level + '] ' + text if first: if first and level == 'info': f = out.good f(prefix + alg_name + padding + ' -- ' + text) first = False else: if out.verbose: f(prefix + alg_name + padding + ' -- ' + text) else: f(' ' * len(prefix + alg_name) + padding + ' `- ' + text) def output_compatibility(kex, pkm, for_server=True): # type: (Optional[SSH2.Kex], Optional[SSH1.PublicKeyMessage], bool) -> None alg_pairs = get_alg_pairs(kex, pkm) ssh_timeframe = get_ssh_timeframe(alg_pairs, for_server) vp = 1 if for_server else 2 comp_text = [] for sshd_name in [SSH.Product.OpenSSH, SSH.Product.DropbearSSH]: if sshd_name not in ssh_timeframe: continue v = ssh_timeframe[sshd_name] if v[vp] is None: comp_text.append('{0} {1}+'.format(sshd_name, v[0])) elif v[0] == v[vp]: comp_text.append('{0} {1}'.format(sshd_name, v[0])) else: if v[vp] < v[0]: tfmt = '{0} {1}+ (some functionality from {2})' else: tfmt = '{0} {1}-{2}' comp_text.append(tfmt.format(sshd_name, v[0], v[vp])) if len(comp_text) > 0: out.good('(gen) compatibility: ' + ', '.join(comp_text)) def output_security_sub(sub, software, padlen): # type: (str, SSH.Software, int) -> None secdb = SSH.Security.CVE if sub == 'cve' else SSH.Security.TXT if software is None or software.product not in secdb: return for line in secdb[software.product]: vfrom, vtill = line[0:2] # type: str, str if not software.between_versions(vfrom, vtill): continue target, name = line[2:4] # type: int, str is_server, is_client = target & 1 == 1, target & 2 == 2 is_local = target & 4 == 4 if not is_server: continue p = '' if out.batch else ' ' * (padlen - len(name)) if sub == 'cve': cvss, descr = line[4:6] # type: float, str out.fail('(cve) {0}{1} -- ({2}) {3}'.format(name, p, cvss, descr)) else: descr = line[4] out.fail('(sec) {0}{1} -- {2}'.format(name, p, descr)) def output_security(banner, padlen): # type: (SSH.Banner, int) -> None with OutputBuffer() as obuf: if banner: software = SSH.Software.parse(banner) output_security_sub('cve', software, padlen) output_security_sub('txt', software, padlen) if len(obuf) > 0: out.head('# security') obuf.flush() out.sep() def output_fingerprint(kex, pkm, sha256=True, padlen=0): # type: (Optional[SSH2.Kex], Optional[SSH1.PublicKeyMessage], bool, int) -> None with OutputBuffer() as obuf: fps = [] if pkm is not None: name = 'ssh-rsa1' fp = SSH.Fingerprint(pkm.host_key_fingerprint_data) bits = pkm.host_key_bits fps.append((name, fp, bits)) for fpp in fps: name, fp, bits = fpp fpo = fp.sha256 if sha256 else fp.md5 p = '' if out.batch else ' ' * (padlen - len(name)) out.good('(fin) {0}{1} -- {2} {3}'.format(name, p, bits, fpo)) if len(obuf) > 0: out.head('# fingerprints') obuf.flush() out.sep() def output_recommendations(software, kex, pkm, padlen=0): # type: (SSH.Software, SSH2.Kex, SSH1.PublicKeyMessage, int) -> None for_server = True with OutputBuffer() as obuf: software, alg_rec = get_alg_recommendations(software, kex, pkm, for_server) for sshv in range(2, 0, -1): if sshv not in alg_rec: continue for alg_type in ['kex', 'key', 'enc', 'mac']: if alg_type not in alg_rec[sshv]: continue for action in ['del', 'add']: if action not in alg_rec[sshv][alg_type]: continue for name in alg_rec[sshv][alg_type][action]: p = '' if out.batch else ' ' * (padlen - len(name)) if action == 'del': an, sg, fn = 'remove', '-', out.warn if alg_rec[sshv][alg_type][action][name] >= 10: fn = out.fail else: an, sg, fn = 'append', '+', out.good b = '(SSH{0})'.format(sshv) if sshv == 1 else '' fm = '(rec) {0}{1}{2}-- {3} algorithm to {4} {5}' fn(fm.format(sg, name, p, alg_type, an, b)) if len(obuf) > 0: title = '(for {0})'.format(software.display(False)) if software else '' out.head('# algorithm recommendations {0}'.format(title)) obuf.flush() out.sep() def output(banner, header, kex=None, pkm=None): # type: (Optional[SSH.Banner], List[text_type], Optional[SSH2.Kex], Optional[SSH1.PublicKeyMessage]) -> None sshv = 1 if pkm else 2 with OutputBuffer() as obuf: if len(header) > 0: out.info('(gen) header: ' + '\n'.join(header)) if banner is not None: out.good('(gen) banner: {0}'.format(banner)) if not banner.valid_ascii: # NOTE: RFC 4253, Section 4.2 out.warn('(gen) banner contains non-printable ASCII') if sshv == 1 or banner.protocol[0] == 1: out.fail('(gen) protocol SSH1 enabled') software = SSH.Software.parse(banner) if software is not None: out.good('(gen) software: {0}'.format(software)) else: software = None output_compatibility(kex, pkm) if kex is not None: compressions = [x for x in kex.server.compression if x != 'none'] if len(compressions) > 0: cmptxt = 'enabled ({0})'.format(', '.join(compressions)) else: cmptxt = 'disabled' out.good('(gen) compression: {0}'.format(cmptxt)) if len(obuf) > 0: out.head('# general') obuf.flush() out.sep() ml, maxlen = lambda l: max(len(i) for i in l), 0 if pkm is not None: maxlen = max(ml(pkm.supported_ciphers), ml(pkm.supported_authentications), maxlen) if kex is not None: maxlen = max(ml(kex.kex_algorithms), ml(kex.key_algorithms), ml(kex.server.encryption), ml(kex.server.mac), maxlen) maxlen += 1 output_security(banner, maxlen) if pkm is not None: adb = SSH1.KexDB.ALGORITHMS ciphers = pkm.supported_ciphers auths = pkm.supported_authentications title, atype = 'SSH1 host-key algorithms', 'key' output_algorithms(title, adb, atype, ['ssh-rsa1'], maxlen) title, atype = 'SSH1 encryption algorithms (ciphers)', 'enc' output_algorithms(title, adb, atype, ciphers, maxlen) title, atype = 'SSH1 authentication types', 'aut' output_algorithms(title, adb, atype, auths, maxlen) if kex is not None: adb = KexDB.ALGORITHMS title, atype = 'key exchange algorithms', 'kex' output_algorithms(title, adb, atype, kex.kex_algorithms, maxlen) title, atype = 'host-key algorithms', 'key' output_algorithms(title, adb, atype, kex.key_algorithms, maxlen) title, atype = 'encryption algorithms (ciphers)', 'enc' output_algorithms(title, adb, atype, kex.server.encryption, maxlen) title, atype = 'message authentication code algorithms', 'mac' output_algorithms(title, adb, atype, kex.server.mac, maxlen) output_recommendations(software, kex, pkm, maxlen) output_fingerprint(kex, pkm, True, maxlen) class Utils(object): @classmethod def _type_err(cls, v, target): # type: (Any, text_type) -> TypeError return TypeError('cannot convert {0} to {1}'.format(type(v), target)) @classmethod def to_bytes(cls, v, enc='utf-8'): # type: (Union[binary_type, text_type], str) -> binary_type if isinstance(v, binary_type): return v elif isinstance(v, text_type): return v.encode(enc) raise cls._type_err(v, 'bytes') @classmethod def to_utext(cls, v, enc='utf-8'): # type: (Union[text_type, binary_type], str) -> text_type if isinstance(v, text_type): return v elif isinstance(v, binary_type): return v.decode(enc) raise cls._type_err(v, 'unicode text') @classmethod def to_ntext(cls, v, enc='utf-8'): # type: (Union[text_type, binary_type], str) -> str if isinstance(v, str): return v elif isinstance(v, text_type): return v.encode(enc) elif isinstance(v, binary_type): return v.decode(enc) raise cls._type_err(v, 'native text') @classmethod def is_ascii(cls, v): # type: (Union[text_type, str]) -> bool try: if isinstance(v, (text_type, str)): v.encode('ascii') return True except UnicodeEncodeError: pass return False @classmethod def to_ascii(cls, v, errors='replace'): # type: (Union[text_type, str], str) -> str if isinstance(v, (text_type, str)): return cls.to_ntext(v.encode('ascii', errors)) raise cls._type_err(v, 'ascii') @classmethod def unique_seq(cls, seq): # type: (Sequence[Any]) -> Sequence[Any] seen = set() # type: Set[Any] def _seen_add(x): # type: (Any) -> bool seen.add(x) return False if isinstance(seq, tuple): return tuple(x for x in seq if x not in seen and not _seen_add(x)) else: return [x for x in seq if x not in seen and not _seen_add(x)] @staticmethod def parse_int(v): # type: (Any) -> int try: return int(v) except: # pylint: disable=bare-except return 0 def audit(aconf, sshv=None): # type: (AuditConf, Optional[int]) -> None out.batch = aconf.batch out.colors = aconf.colors out.verbose = aconf.verbose out.minlevel = aconf.minlevel s = SSH.Socket(aconf.host, aconf.port) s.connect(aconf.ipvo) if sshv is None: sshv = 2 if aconf.ssh2 else 1 err = None banner, header = s.get_banner(sshv) if banner is None: err = '[exception] did not receive banner.' if err is None: packet_type, payload = s.read_packet(sshv) if packet_type < 0: try: payload_txt = payload.decode('utf-8') if payload else u'empty' except UnicodeDecodeError: payload_txt = u'"{0}"'.format(repr(payload).lstrip('b')[1:-1]) if payload_txt == u'Protocol major versions differ.': if sshv == 2 and aconf.ssh1: audit(aconf, 1) return err = '[exception] error reading packet ({0})'.format(payload_txt) else: err_pair = None if sshv == 1 and packet_type != SSH.Protocol.SMSG_PUBLIC_KEY: err_pair = ('SMSG_PUBLIC_KEY', SSH.Protocol.SMSG_PUBLIC_KEY) elif sshv == 2 and packet_type != SSH.Protocol.MSG_KEXINIT: err_pair = ('MSG_KEXINIT', SSH.Protocol.MSG_KEXINIT) if err_pair is not None: fmt = '[exception] did not receive {0} ({1}), ' + \ 'instead received unknown message ({2})' err = fmt.format(err_pair[0], err_pair[1], packet_type) if err: output(banner, header) out.fail(err) sys.exit(1) if sshv == 1: pkm = SSH1.PublicKeyMessage.parse(payload) output(banner, header, pkm=pkm) elif sshv == 2: kex = SSH2.Kex.parse(payload) output(banner, header, kex=kex) utils = Utils() out = Output() if __name__ == '__main__': # pragma: nocover conf = AuditConf.from_cmdline(sys.argv[1:], usage) audit(conf) ssh-audit-1.7.0/test/000077500000000000000000000000001300415160500143725ustar00rootroot00000000000000ssh-audit-1.7.0/test/conftest.py000066400000000000000000000056711300415160500166020ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import os import io import sys import socket import pytest if sys.version_info[0] == 2: import StringIO # pylint: disable=import-error StringIO = StringIO.StringIO else: StringIO = io.StringIO @pytest.fixture(scope='module') def ssh_audit(): __rdir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..') sys.path.append(os.path.abspath(__rdir)) return __import__('ssh-audit') # pylint: disable=attribute-defined-outside-init class _OutputSpy(list): def begin(self): self.__out = StringIO() self.__old_stdout = sys.stdout sys.stdout = self.__out def flush(self): lines = self.__out.getvalue().splitlines() sys.stdout = self.__old_stdout self.__out = None return lines @pytest.fixture(scope='module') def output_spy(): return _OutputSpy() class _VirtualSocket(object): def __init__(self): self.sock_address = ('127.0.0.1', 0) self.peer_address = None self._connected = False self.timeout = -1.0 self.rdata = [] self.sdata = [] self.errors = {} def _check_err(self, method): method_error = self.errors.get(method) if method_error: raise method_error def connect(self, address): return self._connect(address, False) def _connect(self, address, ret=True): self.peer_address = address self._connected = True self._check_err('connect') return self if ret else None def settimeout(self, timeout): self.timeout = timeout def gettimeout(self): return self.timeout def getpeername(self): if self.peer_address is None or not self._connected: raise socket.error(57, 'Socket is not connected') return self.peer_address def getsockname(self): return self.sock_address def bind(self, address): self.sock_address = address def listen(self, backlog): pass def accept(self): # pylint: disable=protected-access conn = _VirtualSocket() conn.sock_address = self.sock_address conn.peer_address = ('127.0.0.1', 0) conn._connected = True return conn, conn.peer_address def recv(self, bufsize, flags=0): # pylint: disable=unused-argument if not self._connected: raise socket.error(54, 'Connection reset by peer') if not len(self.rdata) > 0: return b'' data = self.rdata.pop(0) if isinstance(data, Exception): raise data return data def send(self, data): if self.peer_address is None or not self._connected: raise socket.error(32, 'Broken pipe') self._check_err('send') self.sdata.append(data) @pytest.fixture() def virtual_socket(monkeypatch): vsocket = _VirtualSocket() # pylint: disable=unused-argument def _socket(family=socket.AF_INET, socktype=socket.SOCK_STREAM, proto=0, fileno=None): return vsocket def _cc(address, timeout=0, source_address=None): # pylint: disable=protected-access return vsocket._connect(address, True) monkeypatch.setattr(socket, 'create_connection', _cc) monkeypatch.setattr(socket, 'socket', _socket) return vsocket ssh-audit-1.7.0/test/coverage.sh000077500000000000000000000004161300415160500165250ustar00rootroot00000000000000#!/bin/sh _cdir=$(cd -- "$(dirname "$0")" && pwd) type py.test > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "err: py.test (Python testing framework) not found." exit 1 fi cd -- "${_cdir}/.." mkdir -p html py.test -v --cov-report=html:html/coverage --cov=ssh-audit test ssh-audit-1.7.0/test/mypy-py2.sh000077500000000000000000000005361300415160500164430ustar00rootroot00000000000000#!/bin/sh _cdir=$(cd -- "$(dirname "$0")" && pwd) type mypy > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "err: mypy (Optional Static Typing for Python) not found." exit 1 fi _htmldir="${_cdir}/../html/mypy-py2" mkdir -p "${_htmldir}" mypy --python-version 2.7 --config-file "${_cdir}/mypy.ini" --html-report "${_htmldir}" "${_cdir}/../ssh-audit.py" ssh-audit-1.7.0/test/mypy-py3.sh000077500000000000000000000005361300415160500164440ustar00rootroot00000000000000#!/bin/sh _cdir=$(cd -- "$(dirname "$0")" && pwd) type mypy > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "err: mypy (Optional Static Typing for Python) not found." exit 1 fi _htmldir="${_cdir}/../html/mypy-py3" mkdir -p "${_htmldir}" mypy --python-version 3.5 --config-file "${_cdir}/mypy.ini" --html-report "${_htmldir}" "${_cdir}/../ssh-audit.py" ssh-audit-1.7.0/test/mypy.ini000066400000000000000000000003131300415160500160660ustar00rootroot00000000000000[mypy] silent_imports = True disallow_untyped_calls = True disallow_untyped_defs = True check_untyped_defs = True disallow-subclassing-any = True warn-incomplete-stub = True warn-redundant-casts = True ssh-audit-1.7.0/test/prospector.sh000077500000000000000000000005011300415160500171250ustar00rootroot00000000000000#!/bin/sh _cdir=$(cd -- "$(dirname "$0")" && pwd) type prospector > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "err: prospector (Python Static Analysis) not found." exit 1 fi if [ X"$1" == X"" ]; then _file="${_cdir}/../ssh-audit.py" else _file="$1" fi prospector -E --profile-path "${_cdir}" -P prospector "${_file}" ssh-audit-1.7.0/test/prospector.yml000066400000000000000000000022071300415160500173160ustar00rootroot00000000000000strictness: veryhigh doc-warnings: false pylint: disable: - multiple-imports - invalid-name - trailing-whitespace options: max-args: 8 # default: 5 max-locals: 20 # default: 15 max-returns: 6 max-branches: 15 # default: 12 max-statements: 60 # default: 50 max-parents: 7 max-attributes: 8 # default: 7 min-public-methods: 1 # default: 2 max-public-methods: 20 max-bool-expr: 5 max-nested-blocks: 6 # default: 5 max-line-length: 80 # default: 100 ignore-long-lines: ^\s*(#\s+type:\s+.*|[A-Z0-9_]+\s+=\s+.*|('.*':\s+)?\[.*\],?)$ max-module-lines: 2500 # default: 10000 pep8: disable: - W191 # indentation contains tabs - W293 # blank line contains whitespace - E101 # indentation contains mixed spaces and tabs - E401 # multiple imports on one line - E501 # line too long - E221 # multiple spaces before operator pyflakes: disable: - F401 # module imported but unused - F821 # undefined name mccabe: options: max-complexity: 15 ssh-audit-1.7.0/test/test_auditconf.py000066400000000000000000000132501300415160500177600ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import pytest # pylint: disable=attribute-defined-outside-init class TestAuditConf(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.AuditConf = ssh_audit.AuditConf self.usage = ssh_audit.usage @classmethod def _test_conf(cls, conf, **kwargs): options = { 'host': None, 'port': 22, 'ssh1': True, 'ssh2': True, 'batch': False, 'colors': True, 'verbose': False, 'minlevel': 'info', 'ipv4': True, 'ipv6': True, 'ipvo': () } for k, v in kwargs.items(): options[k] = v assert conf.host == options['host'] assert conf.port == options['port'] assert conf.ssh1 is options['ssh1'] assert conf.ssh2 is options['ssh2'] assert conf.batch is options['batch'] assert conf.colors is options['colors'] assert conf.verbose is options['verbose'] assert conf.minlevel == options['minlevel'] assert conf.ipv4 == options['ipv4'] assert conf.ipv6 == options['ipv6'] assert conf.ipvo == options['ipvo'] def test_audit_conf_defaults(self): conf = self.AuditConf() self._test_conf(conf) def test_audit_conf_booleans(self): conf = self.AuditConf() for p in ['ssh1', 'ssh2', 'batch', 'colors', 'verbose']: for v in [True, 1]: setattr(conf, p, v) assert getattr(conf, p) is True for v in [False, 0]: setattr(conf, p, v) assert getattr(conf, p) is False def test_audit_conf_port(self): conf = self.AuditConf() for port in [22, 2222]: conf.port = port assert conf.port == port for port in [-1, 0, 65536, 99999]: with pytest.raises(ValueError) as excinfo: conf.port = port excinfo.match(r'.*invalid port.*') def test_audit_conf_ipvo(self): # ipv4-only conf = self.AuditConf() conf.ipv4 = True assert conf.ipv4 is True assert conf.ipv6 is False assert conf.ipvo == (4,) # ipv6-only conf = self.AuditConf() conf.ipv6 = True assert conf.ipv4 is False assert conf.ipv6 is True assert conf.ipvo == (6,) # ipv4-only (by removing ipv6) conf = self.AuditConf() conf.ipv6 = False assert conf.ipv4 is True assert conf.ipv6 is False assert conf.ipvo == (4, ) # ipv6-only (by removing ipv4) conf = self.AuditConf() conf.ipv4 = False assert conf.ipv4 is False assert conf.ipv6 is True assert conf.ipvo == (6, ) # ipv4-preferred conf = self.AuditConf() conf.ipv4 = True conf.ipv6 = True assert conf.ipv4 is True assert conf.ipv6 is True assert conf.ipvo == (4, 6) # ipv6-preferred conf = self.AuditConf() conf.ipv6 = True conf.ipv4 = True assert conf.ipv4 is True assert conf.ipv6 is True assert conf.ipvo == (6, 4) # ipvo empty conf = self.AuditConf() conf.ipvo = () assert conf.ipv4 is True assert conf.ipv6 is True assert conf.ipvo == () # ipvo validation conf = self.AuditConf() conf.ipvo = (1, 2, 3, 4, 5, 6) assert conf.ipvo == (4, 6) conf.ipvo = (4, 4, 4, 6, 6) assert conf.ipvo == (4, 6) def test_audit_conf_minlevel(self): conf = self.AuditConf() for level in ['info', 'warn', 'fail']: conf.minlevel = level assert conf.minlevel == level for level in ['head', 'good', 'unknown', None]: with pytest.raises(ValueError) as excinfo: conf.minlevel = level excinfo.match(r'.*invalid level.*') def test_audit_conf_cmdline(self): # pylint: disable=too-many-statements c = lambda x: self.AuditConf.from_cmdline(x.split(), self.usage) # noqa with pytest.raises(SystemExit): conf = c('') with pytest.raises(SystemExit): conf = c('-x') with pytest.raises(SystemExit): conf = c('-h') with pytest.raises(SystemExit): conf = c('--help') with pytest.raises(SystemExit): conf = c(':') with pytest.raises(SystemExit): conf = c(':22') conf = c('localhost') self._test_conf(conf, host='localhost') conf = c('github.com') self._test_conf(conf, host='github.com') conf = c('localhost:2222') self._test_conf(conf, host='localhost', port=2222) conf = c('-p 2222 localhost') self._test_conf(conf, host='localhost', port=2222) with pytest.raises(SystemExit): conf = c('localhost:') with pytest.raises(SystemExit): conf = c('localhost:abc') with pytest.raises(SystemExit): conf = c('-p abc localhost') with pytest.raises(SystemExit): conf = c('localhost:-22') with pytest.raises(SystemExit): conf = c('-p -22 localhost') with pytest.raises(SystemExit): conf = c('localhost:99999') with pytest.raises(SystemExit): conf = c('-p 99999 localhost') conf = c('-1 localhost') self._test_conf(conf, host='localhost', ssh1=True, ssh2=False) conf = c('-2 localhost') self._test_conf(conf, host='localhost', ssh1=False, ssh2=True) conf = c('-12 localhost') self._test_conf(conf, host='localhost', ssh1=True, ssh2=True) conf = c('-4 localhost') self._test_conf(conf, host='localhost', ipv4=True, ipv6=False, ipvo=(4,)) conf = c('-6 localhost') self._test_conf(conf, host='localhost', ipv4=False, ipv6=True, ipvo=(6,)) conf = c('-46 localhost') self._test_conf(conf, host='localhost', ipv4=True, ipv6=True, ipvo=(4, 6)) conf = c('-64 localhost') self._test_conf(conf, host='localhost', ipv4=True, ipv6=True, ipvo=(6, 4)) conf = c('-b localhost') self._test_conf(conf, host='localhost', batch=True, verbose=True) conf = c('-n localhost') self._test_conf(conf, host='localhost', colors=False) conf = c('-v localhost') self._test_conf(conf, host='localhost', verbose=True) conf = c('-l info localhost') self._test_conf(conf, host='localhost', minlevel='info') conf = c('-l warn localhost') self._test_conf(conf, host='localhost', minlevel='warn') conf = c('-l fail localhost') self._test_conf(conf, host='localhost', minlevel='fail') with pytest.raises(SystemExit): conf = c('-l something localhost') ssh-audit-1.7.0/test/test_banner.py000066400000000000000000000060061300415160500172520ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import pytest # pylint: disable=line-too-long,attribute-defined-outside-init class TestBanner(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.ssh = ssh_audit.SSH def test_simple_banners(self): banner = lambda x: self.ssh.Banner.parse(x) # noqa b = banner('SSH-2.0-OpenSSH_7.3') assert b.protocol == (2, 0) assert b.software == 'OpenSSH_7.3' assert b.comments is None assert str(b) == 'SSH-2.0-OpenSSH_7.3' b = banner('SSH-1.99-Sun_SSH_1.1.3') assert b.protocol == (1, 99) assert b.software == 'Sun_SSH_1.1.3' assert b.comments is None assert str(b) == 'SSH-1.99-Sun_SSH_1.1.3' b = banner('SSH-1.5-Cisco-1.25') assert b.protocol == (1, 5) assert b.software == 'Cisco-1.25' assert b.comments is None assert str(b) == 'SSH-1.5-Cisco-1.25' def test_invalid_banners(self): b = lambda x: self.ssh.Banner.parse(x) # noqa assert b('Something') is None assert b('SSH-XXX-OpenSSH_7.3') is None def test_banners_with_spaces(self): b = lambda x: self.ssh.Banner.parse(x) # noqa s = 'SSH-2.0-OpenSSH_4.3p2' assert str(b('SSH-2.0-OpenSSH_4.3p2 ')) == s assert str(b('SSH-2.0- OpenSSH_4.3p2')) == s assert str(b('SSH-2.0- OpenSSH_4.3p2 ')) == s s = 'SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 on i686-pc-linux-gnu' assert str(b('SSH-2.0- OpenSSH_4.3p2 Debian-9etch3 on i686-pc-linux-gnu')) == s assert str(b('SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 on i686-pc-linux-gnu ')) == s assert str(b('SSH-2.0- OpenSSH_4.3p2 Debian-9etch3 on i686-pc-linux-gnu ')) == s def test_banners_without_software(self): b = lambda x: self.ssh.Banner.parse(x) # noqa assert b('SSH-2.0').protocol == (2, 0) assert b('SSH-2.0').software is None assert b('SSH-2.0').comments is None assert str(b('SSH-2.0')) == 'SSH-2.0' assert b('SSH-2.0-').protocol == (2, 0) assert b('SSH-2.0-').software == '' assert b('SSH-2.0-').comments is None assert str(b('SSH-2.0-')) == 'SSH-2.0-' def test_banners_with_comments(self): b = lambda x: self.ssh.Banner.parse(x) # noqa assert repr(b('SSH-2.0-OpenSSH_7.2p2 Ubuntu-1')) == '' assert repr(b('SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3')) == '' assert repr(b('SSH-1.5-1.3.7 F-SECURE SSH')) == '' def test_banners_with_multiple_protocols(self): b = lambda x: self.ssh.Banner.parse(x) # noqa assert str(b('SSH-1.99-SSH-1.99-OpenSSH_3.6.1p2')) == 'SSH-1.99-OpenSSH_3.6.1p2' assert str(b('SSH-2.0-SSH-2.0-OpenSSH_4.3p2 Debian-9')) == 'SSH-2.0-OpenSSH_4.3p2 Debian-9' assert str(b('SSH-1.99-SSH-2.0-dropbear_0.5')) == 'SSH-1.99-dropbear_0.5' assert str(b('SSH-2.0-SSH-1.99-OpenSSH_4.2p1 SSH Secure Shell (non-commercial)')) == 'SSH-1.99-OpenSSH_4.2p1 SSH Secure Shell (non-commercial)' assert str(b('SSH-1.99-SSH-1.99-SSH-1.99-OpenSSH_3.9p1')) == 'SSH-1.99-OpenSSH_3.9p1' ssh-audit-1.7.0/test/test_buffer.py000066400000000000000000000103731300415160500172600ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import re import pytest # pylint: disable=attribute-defined-outside-init,bad-whitespace class TestBuffer(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.rbuf = ssh_audit.ReadBuf self.wbuf = ssh_audit.WriteBuf self.utf8rchar = b'\xef\xbf\xbd' @classmethod def _b(cls, v): v = re.sub(r'\s', '', v) data = [int(v[i * 2:i * 2 + 2], 16) for i in range(len(v) // 2)] return bytes(bytearray(data)) def test_unread(self): w = self.wbuf().write_byte(1).write_int(2).write_flush() r = self.rbuf(w) assert r.unread_len == 5 r.read_byte() assert r.unread_len == 4 r.read_int() assert r.unread_len == 0 def test_byte(self): w = lambda x: self.wbuf().write_byte(x).write_flush() # noqa r = lambda x: self.rbuf(x).read_byte() # noqa tc = [(0x00, '00'), (0x01, '01'), (0x10, '10'), (0xff, 'ff')] for p in tc: assert w(p[0]) == self._b(p[1]) assert r(self._b(p[1])) == p[0] def test_bool(self): w = lambda x: self.wbuf().write_bool(x).write_flush() # noqa r = lambda x: self.rbuf(x).read_bool() # noqa tc = [(True, '01'), (False, '00')] for p in tc: assert w(p[0]) == self._b(p[1]) assert r(self._b(p[1])) == p[0] def test_int(self): w = lambda x: self.wbuf().write_int(x).write_flush() # noqa r = lambda x: self.rbuf(x).read_int() # noqa tc = [(0x00, '00 00 00 00'), (0x01, '00 00 00 01'), (0xabcd, '00 00 ab cd'), (0xffffffff, 'ff ff ff ff')] for p in tc: assert w(p[0]) == self._b(p[1]) assert r(self._b(p[1])) == p[0] def test_string(self): w = lambda x: self.wbuf().write_string(x).write_flush() # noqa r = lambda x: self.rbuf(x).read_string() # noqa tc = [(u'abc1', '00 00 00 04 61 62 63 31'), (b'abc2', '00 00 00 04 61 62 63 32')] for p in tc: v = p[0] assert w(v) == self._b(p[1]) if not isinstance(v, bytes): v = bytes(bytearray(v, 'utf-8')) assert r(self._b(p[1])) == v def test_list(self): w = lambda x: self.wbuf().write_list(x).write_flush() # noqa r = lambda x: self.rbuf(x).read_list() # noqa tc = [(['d', 'ef', 'ault'], '00 00 00 09 64 2c 65 66 2c 61 75 6c 74')] for p in tc: assert w(p[0]) == self._b(p[1]) assert r(self._b(p[1])) == p[0] def test_list_nonutf8(self): r = lambda x: self.rbuf(x).read_list() # noqa src = self._b('00 00 00 04 de ad be ef') dst = [(b'\xde\xad' + self.utf8rchar + self.utf8rchar).decode('utf-8')] assert r(src) == dst def test_line(self): w = lambda x: self.wbuf().write_line(x).write_flush() # noqa r = lambda x: self.rbuf(x).read_line() # noqa tc = [(u'example line', '65 78 61 6d 70 6c 65 20 6c 69 6e 65 0d 0a')] for p in tc: assert w(p[0]) == self._b(p[1]) assert r(self._b(p[1])) == p[0] def test_line_nonutf8(self): r = lambda x: self.rbuf(x).read_line() # noqa src = self._b('de ad be af') dst = (b'\xde\xad' + self.utf8rchar + self.utf8rchar).decode('utf-8') assert r(src) == dst def test_bitlen(self): # pylint: disable=protected-access class Py26Int(int): def bit_length(self): raise AttributeError assert self.wbuf._bitlength(42) == 6 assert self.wbuf._bitlength(Py26Int(42)) == 6 def test_mpint1(self): mpint1w = lambda x: self.wbuf().write_mpint1(x).write_flush() # noqa mpint1r = lambda x: self.rbuf(x).read_mpint1() # noqa tc = [(0x0, '00 00'), (0x1234, '00 0d 12 34'), (0x12345, '00 11 01 23 45'), (0xdeadbeef, '00 20 de ad be ef')] for p in tc: assert mpint1w(p[0]) == self._b(p[1]) assert mpint1r(self._b(p[1])) == p[0] def test_mpint2(self): mpint2w = lambda x: self.wbuf().write_mpint2(x).write_flush() # noqa mpint2r = lambda x: self.rbuf(x).read_mpint2() # noqa tc = [(0x0, '00 00 00 00'), (0x80, '00 00 00 02 00 80'), (0x9a378f9b2e332a7, '00 00 00 08 09 a3 78 f9 b2 e3 32 a7'), (-0x1234, '00 00 00 02 ed cc'), (-0xdeadbeef, '00 00 00 05 ff 21 52 41 11'), (-0x8000, '00 00 00 02 80 00'), (-0x80, '00 00 00 01 80')] for p in tc: assert mpint2w(p[0]) == self._b(p[1]) assert mpint2r(self._b(p[1])) == p[0] assert mpint2r(self._b('00 00 00 02 ff 80')) == -0x80 ssh-audit-1.7.0/test/test_errors.py000066400000000000000000000077521300415160500173320ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import socket import pytest # pylint: disable=attribute-defined-outside-init class TestErrors(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.AuditConf = ssh_audit.AuditConf self.audit = ssh_audit.audit def _conf(self): conf = self.AuditConf('localhost', 22) conf.colors = False conf.batch = True return conf def test_connection_refused(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.errors['connect'] = socket.error(61, 'Connection refused') output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 1 assert 'Connection refused' in lines[-1] def test_connection_closed_before_banner(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(socket.error(54, 'Connection reset by peer')) output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 1 assert 'did not receive banner' in lines[-1] def test_connection_closed_after_header(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'header line 1\n') vsocket.rdata.append(b'header line 2\n') vsocket.rdata.append(socket.error(54, 'Connection reset by peer')) output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 3 assert 'did not receive banner' in lines[-1] def test_connection_closed_after_banner(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'SSH-2.0-ssh-audit-test\r\n') vsocket.rdata.append(socket.error(54, 'Connection reset by peer')) output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 2 assert 'error reading packet' in lines[-1] assert 'reset by peer' in lines[-1] def test_empty_data_after_banner(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'SSH-2.0-ssh-audit-test\r\n') output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 2 assert 'error reading packet' in lines[-1] assert 'empty' in lines[-1] def test_wrong_data_after_banner(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'SSH-2.0-ssh-audit-test\r\n') vsocket.rdata.append(b'xxx\n') output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 2 assert 'error reading packet' in lines[-1] assert 'xxx' in lines[-1] def test_non_ascii_banner(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'SSH-2.0-ssh-audit-test\xc3\xbc\r\n') output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 3 assert 'error reading packet' in lines[-1] assert 'ASCII' in lines[-2] assert lines[-3].endswith('SSH-2.0-ssh-audit-test?') def test_nonutf8_data_after_banner(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'SSH-2.0-ssh-audit-test\r\n') vsocket.rdata.append(b'\x81\xff\n') output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 2 assert 'error reading packet' in lines[-1] assert '\\x81\\xff' in lines[-1] def test_protocol_mismatch_by_conf(self, output_spy, virtual_socket): vsocket = virtual_socket vsocket.rdata.append(b'SSH-1.3-ssh-audit-test\r\n') vsocket.rdata.append(b'Protocol major versions differ.\n') output_spy.begin() with pytest.raises(SystemExit): conf = self._conf() conf.ssh1, conf.ssh2 = True, False self.audit(conf) lines = output_spy.flush() assert len(lines) == 3 assert 'error reading packet' in lines[-1] assert 'major versions differ' in lines[-1] ssh-audit-1.7.0/test/test_output.py000066400000000000000000000110271300415160500173440ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- from __future__ import print_function import pytest # pylint: disable=attribute-defined-outside-init class TestOutput(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.Output = ssh_audit.Output self.OutputBuffer = ssh_audit.OutputBuffer def test_output_buffer_no_lines(self, output_spy): output_spy.begin() with self.OutputBuffer() as obuf: pass assert output_spy.flush() == [] output_spy.begin() with self.OutputBuffer() as obuf: pass obuf.flush() assert output_spy.flush() == [] def test_output_buffer_no_flush(self, output_spy): output_spy.begin() with self.OutputBuffer(): print(u'abc') assert output_spy.flush() == [] def test_output_buffer_flush(self, output_spy): output_spy.begin() with self.OutputBuffer() as obuf: print(u'abc') print() print(u'def') obuf.flush() assert output_spy.flush() == [u'abc', u'', u'def'] def test_output_defaults(self): out = self.Output() # default: on assert out.batch is False assert out.colors is True assert out.minlevel == 'info' def test_output_colors(self, output_spy): out = self.Output() # test without colors out.colors = False output_spy.begin() out.info('info color') assert output_spy.flush() == [u'info color'] output_spy.begin() out.head('head color') assert output_spy.flush() == [u'head color'] output_spy.begin() out.good('good color') assert output_spy.flush() == [u'good color'] output_spy.begin() out.warn('warn color') assert output_spy.flush() == [u'warn color'] output_spy.begin() out.fail('fail color') assert output_spy.flush() == [u'fail color'] if not out.colors_supported: return # test with colors out.colors = True output_spy.begin() out.info('info color') assert output_spy.flush() == [u'info color'] output_spy.begin() out.head('head color') assert output_spy.flush() == [u'\x1b[0;36mhead color\x1b[0m'] output_spy.begin() out.good('good color') assert output_spy.flush() == [u'\x1b[0;32mgood color\x1b[0m'] output_spy.begin() out.warn('warn color') assert output_spy.flush() == [u'\x1b[0;33mwarn color\x1b[0m'] output_spy.begin() out.fail('fail color') assert output_spy.flush() == [u'\x1b[0;31mfail color\x1b[0m'] def test_output_sep(self, output_spy): out = self.Output() output_spy.begin() out.sep() out.sep() out.sep() assert output_spy.flush() == [u'', u'', u''] def test_output_levels(self): out = self.Output() assert out.getlevel('info') == 0 assert out.getlevel('good') == 0 assert out.getlevel('warn') == 1 assert out.getlevel('fail') == 2 assert out.getlevel('unknown') > 2 def test_output_minlevel_property(self): out = self.Output() out.minlevel = 'info' assert out.minlevel == 'info' out.minlevel = 'good' assert out.minlevel == 'info' out.minlevel = 'warn' assert out.minlevel == 'warn' out.minlevel = 'fail' assert out.minlevel == 'fail' out.minlevel = 'invalid level' assert out.minlevel == 'unknown' def test_output_minlevel(self, output_spy): out = self.Output() # visible: all out.minlevel = 'info' output_spy.begin() out.info('info color') out.head('head color') out.good('good color') out.warn('warn color') out.fail('fail color') assert len(output_spy.flush()) == 5 # visible: head, warn, fail out.minlevel = 'warn' output_spy.begin() out.info('info color') out.head('head color') out.good('good color') out.warn('warn color') out.fail('fail color') assert len(output_spy.flush()) == 3 # visible: head, fail out.minlevel = 'fail' output_spy.begin() out.info('info color') out.head('head color') out.good('good color') out.warn('warn color') out.fail('fail color') assert len(output_spy.flush()) == 2 # visible: head out.minlevel = 'invalid level' output_spy.begin() out.info('info color') out.head('head color') out.good('good color') out.warn('warn color') out.fail('fail color') assert len(output_spy.flush()) == 1 def test_output_batch(self, output_spy): out = self.Output() # visible: all output_spy.begin() out.minlevel = 'info' out.batch = False out.info('info color') out.head('head color') out.good('good color') out.warn('warn color') out.fail('fail color') assert len(output_spy.flush()) == 5 # visible: all except head output_spy.begin() out.minlevel = 'info' out.batch = True out.info('info color') out.head('head color') out.good('good color') out.warn('warn color') out.fail('fail color') assert len(output_spy.flush()) == 4 ssh-audit-1.7.0/test/test_software.py000066400000000000000000000265571300415160500176540ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import pytest # pylint: disable=line-too-long,attribute-defined-outside-init class TestSoftware(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.ssh = ssh_audit.SSH def test_unknown_software(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa assert ps('SSH-1.5') is None assert ps('SSH-1.99-AlfaMegaServer') is None assert ps('SSH-2.0-BetaMegaServer 0.0.1') is None def test_openssh_software(self): # pylint: disable=too-many-statements ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # common s = ps('SSH-2.0-OpenSSH_7.3') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '7.3' assert s.patch is None assert s.os is None assert str(s) == 'OpenSSH 7.3' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' # common, portable s = ps('SSH-2.0-OpenSSH_7.2p1') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '7.2' assert s.patch == 'p1' assert s.os is None assert str(s) == 'OpenSSH 7.2p1' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'OpenSSH 7.2' assert repr(s) == '' # dot instead of underline s = ps('SSH-2.0-OpenSSH.6.6') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '6.6' assert s.patch is None assert s.os is None assert str(s) == 'OpenSSH 6.6' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' # dash instead of underline s = ps('SSH-2.0-OpenSSH-3.9p1') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '3.9' assert s.patch == 'p1' assert s.os is None assert str(s) == 'OpenSSH 3.9p1' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'OpenSSH 3.9' assert repr(s) == '' # patch prefix with dash s = ps('SSH-2.0-OpenSSH_7.2-hpn14v5') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '7.2' assert s.patch == 'hpn14v5' assert s.os is None assert str(s) == 'OpenSSH 7.2 (hpn14v5)' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'OpenSSH 7.2' assert repr(s) == '' # patch prefix with underline s = ps('SSH-1.5-OpenSSH_6.6.1_hpn13v11') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '6.6.1' assert s.patch == 'hpn13v11' assert s.os is None assert str(s) == 'OpenSSH 6.6.1 (hpn13v11)' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'OpenSSH 6.6.1' assert repr(s) == '' # patch prefix with dot s = ps('SSH-2.0-OpenSSH_5.9.CASPUR') assert s.vendor is None assert s.product == 'OpenSSH' assert s.version == '5.9' assert s.patch == 'CASPUR' assert s.os is None assert str(s) == 'OpenSSH 5.9 (CASPUR)' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'OpenSSH 5.9' assert repr(s) == '' def test_dropbear_software(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # common s = ps('SSH-2.0-dropbear_2016.74') assert s.vendor is None assert s.product == 'Dropbear SSH' assert s.version == '2016.74' assert s.patch is None assert s.os is None assert str(s) == 'Dropbear SSH 2016.74' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' # common, patch s = ps('SSH-2.0-dropbear_0.44test4') assert s.vendor is None assert s.product == 'Dropbear SSH' assert s.version == '0.44' assert s.patch == 'test4' assert s.os is None assert str(s) == 'Dropbear SSH 0.44 (test4)' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'Dropbear SSH 0.44' assert repr(s) == '' # patch prefix with dash s = ps('SSH-2.0-dropbear_0.44-Freesco-p49') assert s.vendor is None assert s.product == 'Dropbear SSH' assert s.version == '0.44' assert s.patch == 'Freesco-p49' assert s.os is None assert str(s) == 'Dropbear SSH 0.44 (Freesco-p49)' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'Dropbear SSH 0.44' assert repr(s) == '' # patch prefix with underline s = ps('SSH-2.0-dropbear_2014.66_agbn_1') assert s.vendor is None assert s.product == 'Dropbear SSH' assert s.version == '2014.66' assert s.patch == 'agbn_1' assert s.os is None assert str(s) == 'Dropbear SSH 2014.66 (agbn_1)' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == 'Dropbear SSH 2014.66' assert repr(s) == '' def test_libssh_software(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # common s = ps('SSH-2.0-libssh-0.2') assert s.vendor is None assert s.product == 'libssh' assert s.version == '0.2' assert s.patch is None assert s.os is None assert str(s) == 'libssh 0.2' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' s = ps('SSH-2.0-libssh-0.7.3') assert s.vendor is None assert s.product == 'libssh' assert s.version == '0.7.3' assert s.patch is None assert s.os is None assert str(s) == 'libssh 0.7.3' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' def test_romsshell_software(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # common s = ps('SSH-2.0-RomSShell_5.40') assert s.vendor == 'Allegro Software' assert s.product == 'RomSShell' assert s.version == '5.40' assert s.patch is None assert s.os is None assert str(s) == 'Allegro Software RomSShell 5.40' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' def test_hp_ilo_software(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # common s = ps('SSH-2.0-mpSSH_0.2.1') assert s.vendor == 'HP' assert s.product == 'iLO (Integrated Lights-Out) sshd' assert s.version == '0.2.1' assert s.patch is None assert s.os is None assert str(s) == 'HP iLO (Integrated Lights-Out) sshd 0.2.1' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' def test_cisco_software(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # common s = ps('SSH-1.5-Cisco-1.25') assert s.vendor == 'Cisco' assert s.product == 'IOS/PIX sshd' assert s.version == '1.25' assert s.patch is None assert s.os is None assert str(s) == 'Cisco IOS/PIX sshd 1.25' assert str(s) == s.display() assert s.display(True) == str(s) assert s.display(False) == str(s) assert repr(s) == '' def test_software_os(self): ps = lambda x: self.ssh.Software.parse(self.ssh.Banner.parse(x)) # noqa # unknown s = ps('SSH-2.0-OpenSSH_3.7.1 MegaOperatingSystem 123') assert s.os is None # NetBSD s = ps('SSH-1.99-OpenSSH_2.5.1 NetBSD_Secure_Shell-20010614') assert s.os == 'NetBSD (2001-06-14)' assert str(s) == 'OpenSSH 2.5.1 running on NetBSD (2001-06-14)' assert repr(s) == '' s = ps('SSH-1.99-OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1') assert s.os == 'NetBSD (2008-04-03)' assert str(s) == 'OpenSSH 5.0 running on NetBSD (2008-04-03)' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_6.6.1_hpn13v11 NetBSD-20100308') assert s.os == 'NetBSD (2010-03-08)' assert str(s) == 'OpenSSH 6.6.1 (hpn13v11) running on NetBSD (2010-03-08)' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_4.4 NetBSD') assert s.os == 'NetBSD' assert str(s) == 'OpenSSH 4.4 running on NetBSD' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_3.0.2 NetBSD Secure Shell') assert s.os == 'NetBSD' assert str(s) == 'OpenSSH 3.0.2 running on NetBSD' assert repr(s) == '' # FreeBSD s = ps('SSH-2.0-OpenSSH_7.2 FreeBSD-20160310') assert s.os == 'FreeBSD (2016-03-10)' assert str(s) == 'OpenSSH 7.2 running on FreeBSD (2016-03-10)' assert repr(s) == '' s = ps('SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307') assert s.os == 'FreeBSD (2002-03-07)' assert str(s) == 'OpenSSH 2.9 running on FreeBSD (2002-03-07)' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_2.3.0 green@FreeBSD.org 20010321') assert s.os == 'FreeBSD (2001-03-21)' assert str(s) == 'OpenSSH 2.3.0 running on FreeBSD (2001-03-21)' assert repr(s) == '' s = ps('SSH-1.99-OpenSSH_4.4p1 FreeBSD-openssh-portable-overwrite-base-4.4.p1_1,1') assert s.os == 'FreeBSD' assert str(s) == 'OpenSSH 4.4p1 running on FreeBSD' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_7.2-OVH-rescue FreeBSD') assert s.os == 'FreeBSD' assert str(s) == 'OpenSSH 7.2 (OVH-rescue) running on FreeBSD' assert repr(s) == '' # Windows s = ps('SSH-2.0-OpenSSH_3.7.1 in RemotelyAnywhere 5.21.422') assert s.os == 'Microsoft Windows (RemotelyAnywhere 5.21.422)' assert str(s) == 'OpenSSH 3.7.1 running on Microsoft Windows (RemotelyAnywhere 5.21.422)' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_3.8 in DesktopAuthority 7.1.091') assert s.os == 'Microsoft Windows (DesktopAuthority 7.1.091)' assert str(s) == 'OpenSSH 3.8 running on Microsoft Windows (DesktopAuthority 7.1.091)' assert repr(s) == '' s = ps('SSH-2.0-OpenSSH_3.8 in RemoteSupportManager 1.0.023') assert s.os == 'Microsoft Windows (RemoteSupportManager 1.0.023)' assert str(s) == 'OpenSSH 3.8 running on Microsoft Windows (RemoteSupportManager 1.0.023)' assert repr(s) == '' ssh-audit-1.7.0/test/test_ssh1.py000066400000000000000000000124251300415160500166650ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import struct import pytest # pylint: disable=line-too-long,attribute-defined-outside-init class TestSSH1(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.ssh = ssh_audit.SSH self.ssh1 = ssh_audit.SSH1 self.rbuf = ssh_audit.ReadBuf self.wbuf = ssh_audit.WriteBuf self.audit = ssh_audit.audit self.AuditConf = ssh_audit.AuditConf def _conf(self): conf = self.AuditConf('localhost', 22) conf.colors = False conf.batch = True conf.verbose = True conf.ssh1 = True conf.ssh2 = False return conf def _create_ssh1_packet(self, payload, valid_crc=True): padding = -(len(payload) + 4) % 8 plen = len(payload) + 4 pad_bytes = b'\x00' * padding cksum = self.ssh1.crc32(pad_bytes + payload) if valid_crc else 0 data = struct.pack('>I', plen) + pad_bytes + payload + struct.pack('>I', cksum) return data @classmethod def _server_key(cls): return (1024, 0x10001, 0xee6552da432e0ac2c422df1a51287507748bfe3b5e3e4fa989a8f49fdc163a17754939ef18ef8a667ea3b71036a151fcd7f5e01ceef1e4439864baf3ac569047582c69d6c128212e0980dcb3168f00d371004039983f6033cd785b8b8f85096c7d9405cbfdc664e27c966356a6b4eb6ee20ad43414b50de18b22829c1880b551) @classmethod def _host_key(cls): return (2048, 0x10001, 0xdfa20cd2a530ccc8c870aa60d9feb3b35deeab81c3215a96557abbd683d21f4600f38e475d87100da9a4404220eeb3bb5584e5a2b5b48ffda58530ea19104a32577d7459d91e76aa711b241050f4cc6d5327ccce254f371acad3be56d46eb5919b73f20dbdb1177b700f00891c5bf4ed128bb90ed541b778288285bcfa28432ab5cbcb8321b6e24760e998e0daa519f093a631e44276d7dd252ce0c08c75e2ab28a7349ead779f97d0f20a6d413bf3623cd216dc35375f6366690bcc41e3b2d5465840ec7ee0dc7e3f1c101d674a0c7dbccbc3942788b111396add2f8153b46a0e4b50d66e57ee92958f1c860dd97cc0e40e32febff915343ed53573142bdf4b) def _pkm_payload(self): w = self.wbuf() w.write(b'\x88\x99\xaa\xbb\xcc\xdd\xee\xff') b, e, m = self._server_key() w.write_int(b).write_mpint1(e).write_mpint1(m) b, e, m = self._host_key() w.write_int(b).write_mpint1(e).write_mpint1(m) w.write_int(2) w.write_int(72) w.write_int(36) return w.write_flush() def test_crc32(self): assert self.ssh1.crc32(b'') == 0x00 assert self.ssh1.crc32(b'The quick brown fox jumps over the lazy dog') == 0xb9c60808 def test_fingerprint(self): # pylint: disable=protected-access b, e, m = self._host_key() fpd = self.wbuf._create_mpint(m, False) fpd += self.wbuf._create_mpint(e, False) fp = self.ssh.Fingerprint(fpd) assert b == 2048 assert fp.md5 == 'MD5:9d:26:f8:39:fc:20:9d:9b:ca:cc:4a:0f:e1:93:f5:96' assert fp.sha256 == 'SHA256:vZdx3mhzbvVJmn08t/ruv8WDhJ9jfKYsCTuSzot+QIs' def test_pkm_read(self): pkm = self.ssh1.PublicKeyMessage.parse(self._pkm_payload()) assert pkm is not None assert pkm.cookie == b'\x88\x99\xaa\xbb\xcc\xdd\xee\xff' b, e, m = self._server_key() assert pkm.server_key_bits == b assert pkm.server_key_public_exponent == e assert pkm.server_key_public_modulus == m b, e, m = self._host_key() assert pkm.host_key_bits == b assert pkm.host_key_public_exponent == e assert pkm.host_key_public_modulus == m fp = self.ssh.Fingerprint(pkm.host_key_fingerprint_data) assert pkm.protocol_flags == 2 assert pkm.supported_ciphers_mask == 72 assert pkm.supported_ciphers == ['3des', 'blowfish'] assert pkm.supported_authentications_mask == 36 assert pkm.supported_authentications == ['rsa', 'tis'] assert fp.md5 == 'MD5:9d:26:f8:39:fc:20:9d:9b:ca:cc:4a:0f:e1:93:f5:96' assert fp.sha256 == 'SHA256:vZdx3mhzbvVJmn08t/ruv8WDhJ9jfKYsCTuSzot+QIs' def test_pkm_payload(self): cookie = b'\x88\x99\xaa\xbb\xcc\xdd\xee\xff' skey = self._server_key() hkey = self._host_key() pflags = 2 cmask = 72 amask = 36 pkm1 = self.ssh1.PublicKeyMessage(cookie, skey, hkey, pflags, cmask, amask) pkm2 = self.ssh1.PublicKeyMessage.parse(self._pkm_payload()) assert pkm1.payload == pkm2.payload def test_ssh1_server_simple(self, output_spy, virtual_socket): vsocket = virtual_socket w = self.wbuf() w.write_byte(self.ssh.Protocol.SMSG_PUBLIC_KEY) w.write(self._pkm_payload()) vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n') vsocket.rdata.append(self._create_ssh1_packet(w.write_flush())) output_spy.begin() self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 10 def test_ssh1_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket w = self.wbuf() w.write_byte(self.ssh.Protocol.SMSG_PUBLIC_KEY + 1) w.write(self._pkm_payload()) vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n') vsocket.rdata.append(self._create_ssh1_packet(w.write_flush())) output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 4 assert 'unknown message' in lines[-1] def test_ssh1_server_invalid_checksum(self, output_spy, virtual_socket): vsocket = virtual_socket w = self.wbuf() w.write_byte(self.ssh.Protocol.SMSG_PUBLIC_KEY + 1) w.write(self._pkm_payload()) vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n') vsocket.rdata.append(self._create_ssh1_packet(w.write_flush(), False)) output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 1 assert 'checksum' in lines[-1] ssh-audit-1.7.0/test/test_ssh2.py000066400000000000000000000166331300415160500166730ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import struct, os import pytest # pylint: disable=line-too-long,attribute-defined-outside-init class TestSSH2(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.ssh = ssh_audit.SSH self.ssh2 = ssh_audit.SSH2 self.rbuf = ssh_audit.ReadBuf self.wbuf = ssh_audit.WriteBuf self.audit = ssh_audit.audit self.AuditConf = ssh_audit.AuditConf def _conf(self): conf = self.AuditConf('localhost', 22) conf.colors = False conf.batch = True conf.verbose = True conf.ssh1 = False conf.ssh2 = True return conf @classmethod def _create_ssh2_packet(cls, payload): padding = -(len(payload) + 5) % 8 if padding < 4: padding += 8 plen = len(payload) + padding + 1 pad_bytes = b'\x00' * padding data = struct.pack('>Ib', plen, padding) + payload + pad_bytes return data def _kex_payload(self): w = self.wbuf() w.write(b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff') w.write_list([u'curve25519-sha256@libssh.org', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group14-sha1']) w.write_list([u'ssh-rsa', u'rsa-sha2-512', u'rsa-sha2-256', u'ssh-ed25519']) w.write_list([u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com', u'aes128-cbc', u'aes192-cbc', u'aes256-cbc']) w.write_list([u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com', u'aes128-cbc', u'aes192-cbc', u'aes256-cbc']) w.write_list([u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1']) w.write_list([u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1']) w.write_list([u'none', u'zlib@openssh.com']) w.write_list([u'none', u'zlib@openssh.com']) w.write_list([u'']) w.write_list([u'']) w.write_byte(False) w.write_int(0) return w.write_flush() def test_kex_read(self): kex = self.ssh2.Kex.parse(self._kex_payload()) assert kex is not None assert kex.cookie == b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff' assert kex.kex_algorithms == [u'curve25519-sha256@libssh.org', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group14-sha1'] assert kex.key_algorithms == [u'ssh-rsa', u'rsa-sha2-512', u'rsa-sha2-256', u'ssh-ed25519'] assert kex.client is not None assert kex.server is not None assert kex.client.encryption == [u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com', u'aes128-cbc', u'aes192-cbc', u'aes256-cbc'] assert kex.server.encryption == [u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com', u'aes128-cbc', u'aes192-cbc', u'aes256-cbc'] assert kex.client.mac == [u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] assert kex.server.mac == [u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] assert kex.client.compression == [u'none', u'zlib@openssh.com'] assert kex.server.compression == [u'none', u'zlib@openssh.com'] assert kex.client.languages == [u''] assert kex.server.languages == [u''] assert kex.follows is False assert kex.unused == 0 def _get_empty_kex(self, cookie=None): kex_algs, key_algs = [], [] enc, mac, compression, languages = [], [], ['none'], [] cli = self.ssh2.KexParty(enc, mac, compression, languages) enc, mac, compression, languages = [], [], ['none'], [] srv = self.ssh2.KexParty(enc, mac, compression, languages) if cookie is None: cookie = os.urandom(16) kex = self.ssh2.Kex(cookie, kex_algs, key_algs, cli, srv, 0) return kex def _get_kex_variat1(self): cookie = b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff' kex = self._get_empty_kex(cookie) kex.kex_algorithms.append('curve25519-sha256@libssh.org') kex.kex_algorithms.append('ecdh-sha2-nistp256') kex.kex_algorithms.append('ecdh-sha2-nistp384') kex.kex_algorithms.append('ecdh-sha2-nistp521') kex.kex_algorithms.append('diffie-hellman-group-exchange-sha256') kex.kex_algorithms.append('diffie-hellman-group14-sha1') kex.key_algorithms.append('ssh-rsa') kex.key_algorithms.append('rsa-sha2-512') kex.key_algorithms.append('rsa-sha2-256') kex.key_algorithms.append('ssh-ed25519') kex.server.encryption.append('chacha20-poly1305@openssh.com') kex.server.encryption.append('aes128-ctr') kex.server.encryption.append('aes192-ctr') kex.server.encryption.append('aes256-ctr') kex.server.encryption.append('aes128-gcm@openssh.com') kex.server.encryption.append('aes256-gcm@openssh.com') kex.server.encryption.append('aes128-cbc') kex.server.encryption.append('aes192-cbc') kex.server.encryption.append('aes256-cbc') kex.server.mac.append('umac-64-etm@openssh.com') kex.server.mac.append('umac-128-etm@openssh.com') kex.server.mac.append('hmac-sha2-256-etm@openssh.com') kex.server.mac.append('hmac-sha2-512-etm@openssh.com') kex.server.mac.append('hmac-sha1-etm@openssh.com') kex.server.mac.append('umac-64@openssh.com') kex.server.mac.append('umac-128@openssh.com') kex.server.mac.append('hmac-sha2-256') kex.server.mac.append('hmac-sha2-512') kex.server.mac.append('hmac-sha1') kex.server.compression.append('zlib@openssh.com') for a in kex.server.encryption: kex.client.encryption.append(a) for a in kex.server.mac: kex.client.mac.append(a) for a in kex.server.compression: if a == 'none': continue kex.client.compression.append(a) return kex def test_key_payload(self): kex1 = self._get_kex_variat1() kex2 = self.ssh2.Kex.parse(self._kex_payload()) assert kex1.payload == kex2.payload def test_ssh2_server_simple(self, output_spy, virtual_socket): vsocket = virtual_socket w = self.wbuf() w.write_byte(self.ssh.Protocol.MSG_KEXINIT) w.write(self._kex_payload()) vsocket.rdata.append(b'SSH-2.0-OpenSSH_7.3 ssh-audit-test\r\n') vsocket.rdata.append(self._create_ssh2_packet(w.write_flush())) output_spy.begin() self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 72 def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket w = self.wbuf() w.write_byte(self.ssh.Protocol.MSG_KEXINIT + 1) vsocket.rdata.append(b'SSH-2.0-OpenSSH_7.3 ssh-audit-test\r\n') vsocket.rdata.append(self._create_ssh2_packet(w.write_flush())) output_spy.begin() with pytest.raises(SystemExit): self.audit(self._conf()) lines = output_spy.flush() assert len(lines) == 3 assert 'unknown message' in lines[-1] ssh-audit-1.7.0/test/test_version_compare.py000066400000000000000000000164021300415160500212010ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- import pytest # pylint: disable=attribute-defined-outside-init class TestVersionCompare(object): @pytest.fixture(autouse=True) def init(self, ssh_audit): self.ssh = ssh_audit.SSH def get_dropbear_software(self, v): b = self.ssh.Banner.parse('SSH-2.0-dropbear_{0}'.format(v)) return self.ssh.Software.parse(b) def get_openssh_software(self, v): b = self.ssh.Banner.parse('SSH-2.0-OpenSSH_{0}'.format(v)) return self.ssh.Software.parse(b) def get_libssh_software(self, v): b = self.ssh.Banner.parse('SSH-2.0-libssh-{0}'.format(v)) return self.ssh.Software.parse(b) def test_dropbear_compare_version_pre_years(self): s = self.get_dropbear_software('0.44') assert s.compare_version(None) == 1 assert s.compare_version('') == 1 assert s.compare_version('0.43') > 0 assert s.compare_version('0.44') == 0 assert s.compare_version(s) == 0 assert s.compare_version('0.45') < 0 assert s.between_versions('0.43', '0.45') assert s.between_versions('0.43', '0.43') is False assert s.between_versions('0.45', '0.43') is False def test_dropbear_compare_version_with_years(self): s = self.get_dropbear_software('2015.71') assert s.compare_version(None) == 1 assert s.compare_version('') == 1 assert s.compare_version('2014.66') > 0 assert s.compare_version('2015.71') == 0 assert s.compare_version(s) == 0 assert s.compare_version('2016.74') < 0 assert s.between_versions('2014.66', '2016.74') assert s.between_versions('2014.66', '2015.69') is False assert s.between_versions('2016.74', '2014.66') is False def test_dropbear_compare_version_mixed(self): s = self.get_dropbear_software('0.53.1') assert s.compare_version(None) == 1 assert s.compare_version('') == 1 assert s.compare_version('0.53') > 0 assert s.compare_version('0.53.1') == 0 assert s.compare_version(s) == 0 assert s.compare_version('2011.54') < 0 assert s.between_versions('0.53', '2011.54') assert s.between_versions('0.53', '0.53') is False assert s.between_versions('2011.54', '0.53') is False def test_dropbear_compare_version_patchlevel(self): s1 = self.get_dropbear_software('0.44') s2 = self.get_dropbear_software('0.44test3') assert s1.compare_version(None) == 1 assert s1.compare_version('') == 1 assert s1.compare_version('0.44') == 0 assert s1.compare_version(s1) == 0 assert s1.compare_version('0.43') > 0 assert s1.compare_version('0.44test4') > 0 assert s1.between_versions('0.44test4', '0.45') assert s1.between_versions('0.43', '0.44test4') is False assert s1.between_versions('0.45', '0.44test4') is False assert s2.compare_version(None) == 1 assert s2.compare_version('') == 1 assert s2.compare_version('0.44test3') == 0 assert s2.compare_version(s2) == 0 assert s2.compare_version('0.44') < 0 assert s2.compare_version('0.44test4') < 0 assert s2.between_versions('0.43', '0.44') assert s2.between_versions('0.43', '0.44test2') is False assert s2.between_versions('0.44', '0.43') is False assert s1.compare_version(s2) > 0 assert s2.compare_version(s1) < 0 def test_dropbear_compare_version_sequential(self): versions = [] for i in range(28, 44): versions.append('0.{0}'.format(i)) for i in range(1, 5): versions.append('0.44test{0}'.format(i)) for i in range(44, 49): versions.append('0.{0}'.format(i)) versions.append('0.48.1') for i in range(49, 54): versions.append('0.{0}'.format(i)) versions.append('0.53.1') for v in ['2011.54', '2012.55']: versions.append(v) for i in range(56, 61): versions.append('2013.{0}'.format(i)) for v in ['2013.61test', '2013.62']: versions.append(v) for i in range(63, 67): versions.append('2014.{0}'.format(i)) for i in range(67, 72): versions.append('2015.{0}'.format(i)) for i in range(72, 75): versions.append('2016.{0}'.format(i)) l = len(versions) for i in range(l): v = versions[i] s = self.get_dropbear_software(v) assert s.compare_version(v) == 0 if i - 1 >= 0: vbefore = versions[i - 1] assert s.compare_version(vbefore) > 0 if i + 1 < l: vnext = versions[i + 1] assert s.compare_version(vnext) < 0 def test_openssh_compare_version_simple(self): s = self.get_openssh_software('3.7.1') assert s.compare_version(None) == 1 assert s.compare_version('') == 1 assert s.compare_version('3.7') > 0 assert s.compare_version('3.7.1') == 0 assert s.compare_version(s) == 0 assert s.compare_version('3.8') < 0 assert s.between_versions('3.7', '3.8') assert s.between_versions('3.6', '3.7') is False assert s.between_versions('3.8', '3.7') is False def test_openssh_compare_version_patchlevel(self): s1 = self.get_openssh_software('2.1.1') s2 = self.get_openssh_software('2.1.1p2') assert s1.compare_version(s1) == 0 assert s2.compare_version(s2) == 0 assert s1.compare_version('2.1.1p1') == 0 assert s1.compare_version('2.1.1p2') == 0 assert s2.compare_version('2.1.1') == 0 assert s2.compare_version('2.1.1p1') > 0 assert s2.compare_version('2.1.1p3') < 0 assert s1.compare_version(s2) == 0 assert s2.compare_version(s1) == 0 def test_openbsd_compare_version_sequential(self): versions = [] for v in ['1.2.3', '2.1.0', '2.1.1', '2.2.0', '2.3.0']: versions.append(v) for v in ['2.5.0', '2.5.1', '2.5.2', '2.9', '2.9.9']: versions.append(v) for v in ['3.0', '3.0.1', '3.0.2', '3.1', '3.2.2', '3.2.3']: versions.append(v) for i in range(3, 7): versions.append('3.{0}'.format(i)) for v in ['3.6.1', '3.7.0', '3.7.1']: versions.append(v) for i in range(8, 10): versions.append('3.{0}'.format(i)) for i in range(0, 10): versions.append('4.{0}'.format(i)) for i in range(0, 10): versions.append('5.{0}'.format(i)) for i in range(0, 10): versions.append('6.{0}'.format(i)) for i in range(0, 4): versions.append('7.{0}'.format(i)) l = len(versions) for i in range(l): v = versions[i] s = self.get_openssh_software(v) assert s.compare_version(v) == 0 if i - 1 >= 0: vbefore = versions[i - 1] assert s.compare_version(vbefore) > 0 if i + 1 < l: vnext = versions[i + 1] assert s.compare_version(vnext) < 0 def test_libssh_compare_version_simple(self): s = self.get_libssh_software('0.3') assert s.compare_version(None) == 1 assert s.compare_version('') == 1 assert s.compare_version('0.2') > 0 assert s.compare_version('0.3') == 0 assert s.compare_version(s) == 0 assert s.compare_version('0.3.1') < 0 assert s.between_versions('0.2', '0.3.1') assert s.between_versions('0.1', '0.2') is False assert s.between_versions('0.3.1', '0.2') is False def test_libssh_compare_version_sequential(self): versions = [] for v in ['0.2', '0.3']: versions.append(v) for i in range(1, 5): versions.append('0.3.{0}'.format(i)) for i in range(0, 9): versions.append('0.4.{0}'.format(i)) for i in range(0, 6): versions.append('0.5.{0}'.format(i)) for i in range(0, 6): versions.append('0.6.{0}'.format(i)) for i in range(0, 4): versions.append('0.7.{0}'.format(i)) l = len(versions) for i in range(l): v = versions[i] s = self.get_libssh_software(v) assert s.compare_version(v) == 0 if i - 1 >= 0: vbefore = versions[i - 1] assert s.compare_version(vbefore) > 0 if i + 1 < l: vnext = versions[i + 1] assert s.compare_version(vnext) < 0